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Preface 



The second International Conference on Applied Cryptography and Network 
Security (ACNS 2004) was sponsored and organized by ICISA (the International 
Communications and Information Security Association). It was held in Yellow 
Mountain, China, June 8-11, 2004. The conference proceedings, representing 
papers from the academic track, are published in this volume of the Lecture 
Notes in Computer Science (LNCS) of Springer-Verlag. 

The area of research that ACNS covers has been gaining importance in recent 
years due to the development of the Internet, which, in turn, implies global 
exposure of computing resources. Many fields of research were covered by the 
program of this track, presented in this proceedings volume. We feel that the 
papers herein indeed reflect the state of the art in security and cryptography 
research, worldwide. 

The program committee of the conference received a total of 297 submissions 
from all over the world, of which 36 submissions were selected for presentation 
during the academic track. In addition to this track, the conference also hosted 
a technical/industrial track of presentations that were carefully selected as well. 
All submissions were reviewed by experts in the relevant areas. 

Starting from the first ACNS conference last year, ACNS has given best paper 
awards. Last year the best student paper award went to a paper that turned out 
to be the only paper written by a single student for ACNS 2003. It was Kwong 
H. Yung who got the award for his paper entitled “Using Feedback to Improve 
Masquerade Detection.” Continuing the “best paper tradition” this year, the 
committee decided to select two student papers among the many high-quality 
papers that were accepted for this conference, and to give them best student 
paper awards. These papers are: “Security Measurements of Steganographic Sy- 
stems” by Weiming Zhang and Shiqu Li, and “Evaluating Security of Voting 
Schemes in the Universal Composability Framework” by Jens Grotlr. Both pa- 
pers appear in this proceedings volume, and we would like to congratulate the 
recipients for their achievements. 

Many people and organizations helped in making the conference a reality. We 
would like to take this opportunity to thank the program committee members 
and the external experts for their invaluable help in producing the conference’s 
program. We also wish to thank Thomas Herlea of KU Leuven for his extraor- 
dinary efforts in helping us to manage the submissions and for taking care of all 
the technical aspects of the review process. Thomas, single-handedly, served as 
the technical support committee of this conference! We extend our thanks also 
to the general chair Jianying Zhou (who also served as publication chair and 
helped in many other ways), the chairs of the technical/industrial track (Yongfei 
Han and Peter Landrock), the local organizers, who worked hard to assure that 
the conference took place, and the publicity chairs. We also thank the various 
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sponsoring companies and government bodies. Finally, we would like to thank 
all the authors who submitted papers to the conference. 



April 2004 Markus Jakobsson and Moti Yung 
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CamouflageFS: Increasing the Effective Key Length in 
Cryptographic Filesystems on the Cheap 



Michael E. Locasto and Angelos D. Keromytis 



Department of Computer Science 
Columbia University in the City of New York 
{locasto , angelosjScs . columbia.edu 



Abstract. One of the few quantitative metrics used to evaluate the security of a 
cryptographic file system is the key length of the encryption algorithm; larger key 
lengths correspond to higher resistance to brute force and other types of attacks. 
Since accepted cryptographic design principles dictate that larger key lengths also 
impose higher processing costs, increasing the security of a cryptographic file 
system also increases the overhead of the underlying cipher. 

We present a general approach to effectively extend the key length without impos- 
ing the concomitant processing overhead. Our scheme is to spread the ciphertext 
inside an artificially large file that is seemingly filled with random bits according to 
a key-driven spreading sequence. Our prototype implementation, CamouflageFS, 
offers improved performance relative to a cipher with a larger key-schedule, while 
providing the same security properties. We discuss our implementation (based on 
the Linux Ext2 file system) and present some preliminary performance results. 
While CamouflageFS is implemented as a stand-alone file system, its primary 
mechanisms can easily be integrated into existing cryptographic file systems. 



“Why couldn ’t I fill my hard drive with random bytes, so that individual files would 
not be discernible? Their very existence would be hidden in the noise, like a striped tiger 
in tall grass.” -Cryptonomicon, by Neal Stephenson [17] 



1 Introduction 

Cryptographic file systems provide data confidentiality by employing encryption to pro- 
tect files against unauthorized access. Since encryption is an expensive operation, there is 
a trade-off between performance and security that a system designer must take into con- 
sideration. One factor that affects this balance is the key length of the underlying cipher: 
larger key lengths imply higher resistance against specific types of attacks, while at the 
same time requiring more rounds of processing to spread the influence of the key across 
all plaintext bit (“avalanche effect”). This is by no means a clear-cut comparison, how- 
ever: different ciphers can exhibit radically different performance characteristics ( e.g ., 
AES with 128 bit keys is faster than DES with 56 bit keys), and the security of a cipher is 
not simply encapsulated by its key length. However, given a well designed variable-key 
length cryptographic cipher, such as AES, the system designer or administrator is faced 
with the balance of performance vx. key length. 



M. Jakobsson, M. Yung, J. Zhou (Eds.): ACNS 2004, LNCS 3089, pp. 1-15, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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We are interested in reducing the performance penalty associated with using larger 
key sizes without decreasing the level of security. This goal is accomplished with a 
technique that is steganographic in nature; we camouflage the parts of the file that 
contain the encrypted data. Specifically, we use a spread-spectrum code to distribute the 
pointers in the file index block. We alter the operating system to intercept file requests 
made without an appropriate key and return data that is consistently random (i.e., reading 
the same block will return the same “garbage”), without requiring that such data be stored 
on disk. This random data is indistinguishable from encrypted data. In this way, each 
file appears to be an opaque block of bits on the order of a terabyte. There is no need to 
actually fill the disk with random data, as done in [13], because the OS is responsible for 
generating this fake data on the fly. An attacker must mount a brute force attack not only 
against the underlying cipher, but also against the spreading sequence. In our prototype, 
this can increase an attacker’s work factor by 2 28 without noticeable performance loss 
for legitimate users. 

1.1 Paper Organization 

The remainder of this paper is organized as follows. In Section 2, we discuss our approach 
to the problem, examine the threat model, and provide a security analysis. In Section 3 we 
discuss in detail the implementation of CamouflageFS as a variant of the Linux Ext2fs, 
and Section 4 presents some preliminary performance measurements of the system. We 
give an overview of the related work on cryptographic and steganographic file systems 
in Section 5. We discuss our plans for future work in Section 6, and conclude the paper 
in Section 7. 

2 Our Approach 

Our primary insight is that a user may decrease the performance penalty they pay for 
employing a cryptographic file system by using only part of the key for cryptographic 
operations. The rest of the key may be used to unpredictably spread the data into the 
file’s address space. Note that we are not necessarily fragmenting the placement of the 
data on disk, but rather mixing the placement of the data within the file, 

2.1 Key Composition: Maintaining Confidentiality 

While our goal is to mitigate the performance penalty paid for using a cryptographic 
file system, it is not advisable to trade confidentiality for performance. Instead, we 
argue that keys can be made effectively longer without incurring the usual performance 
penalty. One obvious method of reducing the performance penalty for encrypting files 
is to utilize a cipher with a shorter key length; however, there is a corresponding loss of 
confidentiality with a shorter key length. We address the tradeoff between key length and 
performance by extending the key with “spreading bits,” and exploiting the properties 
of an indexed allocation file system. 

A file system employing indexed allocation can efficiently address disk blocks for 
files approaching terabyte size. In practice, most files are much smaller than this and do 
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Fig. 1. Outline of a multi-level index scheme with triple-indirect addressing. The first 12 index 
entries point directly to 12 data blocks. The next three index entries are single, double, and triple 
indirect. Each indirect block contains 1024 entries: the first level can point to 1024 data blocks, 
the second level can point to 1024 2 , and the third level points to 1024 3 data blocks. 



not use their full “address space.” The Linux Ext2fs on 32-bit architectures commonly 
provides an address range of a few gigabytes to just short of two terabytes, depending 
on the block size, although accessing files larger than two gigabytes requires setting a 
flag when opening the file [4]. 

We use the extra bits of the cryptographic key to spread the file data throughout its 
address space and use the primary key material to encrypt that data. By combining this 
spreading function with random data for unallocated blocks, we prevent an attacker from 
knowing which blocks to perform a brute force search on. To maintain this illusion of a 
larger file without actually allocating it on disk, we return consistently random data on 
read( ) operations that are not accompanied by the proper cryptographic key. 

2.2 Indexed Allocation 

In a multi-level indexed allocation scheme, the operating system maintains an index of 
entries per file that can quickly address any given block of that file. In the Ext2 file 
system, this index contains fifteen entries (see Figure 1). The first twelve entries point 
directly to the first twelve blocks of the file. Assuming a block size of 4096 bytes, the first 
twelve entries of this index map to the first 48Kb of a file. The next three entries are all 
indirect pointers to sub-indices, with one layer of indirection, two layers of indirection, 
and three layers of indirection, respectively [4]. 

Figure 2 shows a somewhat simplified example of a single-level direct-mapped index. 
The file index points directly to blocks with plaintext data. Holes in the file may exist; 
reading data from such holes returns zeroed-out blocks, while writing in the holes causes 
a physical disk block to be allocated. Cryptographic file systems encrypt the stored data, 
which leaves the index structure identical but protects the contents of the data blocks, as 
shown in Figure 3. 
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Fig. 2. File index for a normal data file. Pointers to plaintext data blocks are stored sequentially at 
the beginning of the index. Files may already contain file holes - this index has a hole at the third 
block position. 



Usually, most files are small and do not need to expand beyond the first twelve 
direct mapped entries. This design allows the data in a small file to be retrieved in two 
disk accesses. However, retrieving data pointed to by entries of the sub-indices is not 
prohibitively expensive, especially in the presence of disk caches [4], 

Therefore, instead of clustering the pointers to file data in the beginning entries of 
the index, we can distribute them throughout the index. In order for the operating system 
to reliably access the data in the file, we need some sequence of numbers to provide 
the spreading schedule, or which index entries point to the different blocks of the file. 
Figure 4 shows encrypted data that has been spread throughout the file’s address space. 

2.3 Spreading Schedule 

The purpose of the spreading schedule is to randomly distribute the real file data through- 
out a large address space so that an attacker would have to first guess the spreading 
schedule before he attempts a brute force search on the rest of the key. 

Normally, the number of the index entry is calculated by taking the floor of the 
current file position “pos” divided by the block size. 

index = pos/blocksize 

This index number is then used to derive the logical block number (the block on disk) 
where the data at “pos” resides. 

Ibn = get-f romJndex (index) 

This procedure is altered to employ the spreading schedule. The initial calculation of 
the index is performed, but before the logical block number is derived, a pseudo-random 
permutation (PRP) function takes the calculated index and the bits of the spreading seed 





CamouflageFS: Increasing the Effective Key Length 



5 



0 




!@>Rt8 


1 


PlkNQ 




9. 


**F. 




3 


_^Q 


4 




oVF(S 






11 




12 




13 




14 





Fig. 3. Index for an encrypted file. The indexing has not changed, merely the contents of the data 
blocks. Again, the file hole at block three is present. 



to return a new index value, without producing collisions. The logical block number is 
then derived from this new index. 

index = pos/blocksize 

index — map(index, spreadseed ) 

Ibn = get-fromJndex(index) 

Note that the actual disk block is irrelevant; we are only interested in calculating a new 
entry in the file index, rather than using the strictly sequential ordering. Given the secret 
spreading seed bits of the key, this procedure will return consistent results. Therefore, 
using the same key will produce a consistent spreading schedule, and a legitimate user 
can easily retrieve and decrypt their data. 

2.4 Consistent Garbage 

The spreading schedule is useless without some mechanism to make the real encrypted 
data appear indistinguishable from unallocated data blocks. To accomplish this blend- 
ing, camouflage data is generated by the operating system whenever a request is made 
on an index entry that points to unallocated disk space (essentially a file hole). Each 
CamouflageFS file will contain a number of file holes. Without the key, a request on 
any index entry will return random data. There is no way to determine if this data is 
encrypted without knowing the spreading schedule, because data encrypted by a strong 
cipher should appear to be random in its ciphertext form. We employ a linear congru- 
ential generator [11] (LCG) to provide pseudo-random data based on a secret random 
quantity known only to the operating system. This final touch camouflages the actual 
encrypted data, and the file index is logically similar to Figure 5. Note that camouflage 
data is only needed (and created on the fly) when the system is under attack; it has no 
impact on performance or disk capacity under regular system operation. 
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Fig. 4. Index where the entries for the data blocks have been spread. We have created an implicit 
virtual index to spread the file data blocks throughout the file’s address space. The file address 
space is now replete with file holes. Note that it is simple to distinguish the encrypted data from 
the file holes because the operating system will happily return zeroed data in place of a hole. 



2.5 Security Analysis 

Threat Model. The threat model is based on two classes of attacker. The first has 
physical access to the disk ( e.g by stealing the user’s laptop). The second has read and 
write access to the file, perhaps because they have usuiped the privileges of the file owner 
or because the file owner inadvertently provided a set of permission bits that was too 
liberal. The attacker does not know the secret key (including the spreading bits). 

The attacker can observe the entire file, asking the operating system to provide every 
block. The attacker has access to the full range of Unix user-level tools, as well as the 
CamouflageFS tool set. The attacker could potentially corrupt the contents of the file, 
but our primary concern is maintaining the data’s confidentiality. Integrity protection 
can be accomplished via other means. 



Mechanism. For the purposes of this analysis, we assume that data would normally 
be enciphered with a 128 bit key. We also assume that 32 “spreading bits” are logically 
appended to the key, making an effective key of length 160 bits. Finally, we assume that 
the cipher used does not have any weakness that can be exploited to allow the attacker 
a less-than-brute-force search of the key space. Since only the operating system and 
the user know the 160 bits of the key, anyone trying to guess the spreading schedule 
would have to generate and test 2 32 runs of the schedule generator even before they 
attempt any decryption. Note that if the operating system did not generate camouflage 
data, the attacker could easily ignore the spreading schedule function and simply grab 
disk blocks in the file that did not return null data. At this point, the attacker would still 
have to perform a 2 128 brute force search on the key space. 
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Fig. 5. Index where the data has been spread and camouflaged. Instructing the operating system to 
return consistent random data instead of zero-filled blocks for file holes effectively camouflages 
the encrypted data. 



Camouflage Synchronization. There are some important issues that must be resolved 
in order for the generated camouflage data to actually protect the encrypted data. Most 
importantly, we do not want the attacker to be able to distinguish between the generated 
camouflage and the real encrypted data. Both sets should appear uniformly random. We 
assume that the attacker is free to make requests to the operating system to read the 
entire file. There are two instances of the problem of the camouflage data being “out of 
sync” with the real file data. 

The first instance is that if the same camouflage data is returned consistently over a 
long period of time, the attacker could surmise that only the parts of the file that actually 
do change are being encrypted and thus correspond to the actual data in the file. This 
kind of de-synchronization could happen with a frequently edited file. 

On the other hand, if the file data remains stable for a long period of time, and we 
repeatedly update the camouflage data, the attacker could conjecture that the parts of the 
file that do not change are the real data. This type of file could be a configuration file for 
a stable or long-running service. 

These kinds of de-synchronization eliminate most of the benefits of the spreading 
schedule, because the attacker only has to rearrange a much smaller number of blocks and 
then move on to performing a search of the key space. In some cases, it may be reasonable 
to assume that these blocks are only a subset of the file data, but as a general rule, these 
“hotspots” (or “deadspots”) of data (in)activity will stick out from the camouflage. 

A mechanism should be provided for updating the composition of the camouflage 
data at a rate that approximates the change of the real file data. Since we do not actually 
store the camouflage data on disk, this requirement amounts to providing a mechanism 
for altering the generation of the camouflage data in some unpredictable manner. 

Attacks. First, note that most attacks on the system still leave the attacker with a 
significant brute force search. Second, we are primarily concerned (as per the threat 
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model described above) with data confidentiality, including attacks where an intruder 
has access to the raw disk. 

1 . An attacker could request the entire file contents and perform a brute force search 
for the key. This attack is the least rewarding. 

2. An attacker may discover the camouflage magic value by reading the i-node infor- 
mation. This would allow the attacker to identify camouflage data. The solution is 
to encrypt the index portion of the i-nodes with the user’s full key, or with a file 
system-wide key. In either case, the performance penalty would be minimal, due to 
the small size of the encrypted data. 

Alternatively, we can use a smart card during a user session to allow the OS to decrypt 
the i-nodes. Recent work on disk encryption techniques [9] discusses various ways 
to accomplish this goal. 

3 . An attacker could use a bad key to write into the file, corrupting the data. Two possible 
solutions are to use an integrity protection mechanism or to store some redundancy in 
the i-node to check if the provided key correctly decrypts the redundancy. However, 
these measures act like an oracle to the attacker; failing writes indicate that the 
provided key was not correct. 

4. The attacker could observe the file over a period of time and conjecture that certain 
parts of the file are camouflage because they do not change or change too often. A 
mechanism would need to be implemented to change the camouflage seed at the 
same rate other file data changes. 

3 Implementation 

CamouflageFS is a rather straightforward extension to the standard Ext2 file system 
for the Linux 2.4.19 kernel. The current implementation can coexist with normal file 
operations and does not require any extra work to use regular Ext2 files. 

CamouflageFS consists of two major components. The first is a set of ioctl( j’s through 
which the user can provide a key that controls how the kernel locates and decrypts 
camouflaged files. The second component is the set of read and write operations that 
implement the basic functionality of the system. In addition, a set of user-level tools 
was developed for simple file read and write operations (similar to cat and cp) that 
encapsulate the key handling and ioctlf) mechanisms. 

3.1 LFS: Large File Support 

Employing the entire available address range for files is implied in the operation of 
CamouflageFS. Large File Support [8] for Linux is available in the kernel version of our 
implementation and requires that our user level utilities be compiled with this support. 

The thirty-two bit architecture implementation of Ext2 with LFS and a block size of 
4096 bytes imposes a twenty-eight bit limit on our “extension” of a key. This limitation 
exists because of the structure of the multi-level index (see Figure 1) and the blocksize 
of 4096 bytes. Since the index works at the block, rather than byte, granularity, the 2 40 
bytes in the file are addressed by blocks of 4096 (2 12 ) bytes, with 4 bytes per index entry. 
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This relationship dictates a selection of roughly 2 28 index blocks (so that we do not run 
into the Ext2 file size limitation of just under 2 terabytes). 

The O-LARGEFILE flag is needed when opening a file greater than two gigabytes; 
this flag and the 64-bit versions of various file handling functions are made available by 
defining _LARGEFILE_SOURCE and _LARGEFILE64_SOURCE in the source code 
of the utilities. The utilities are then compiled with the LARGEFILE SOURCE and 
FILE OFFSET BITS flags. 

3.2 Data Structures 

The first changes to be made were the addition of the data structures that would support 
the CamouflageFS operations. In order to simplify the implementation, no changes were 
made to the structure of the Ext2 i-node on disk, so CamouflageFS can peacefully co-exist 
with and operate on Ext2 formatted partitions. 

An unsigned thirty-two bit quantity (Lcamouflaged) was added to the in-memory 
structure for an Ext2 i-node. This quantity served as a flag, where a zero value indicated 
that the file was not a CamouflageFS file. Any non-zero value indicated otherwise. Once 
a file was marked as a CamouflageFS file, a secret random value was stored in this field 
for use in producing the camouflage for the file holes. This field is initialized to zero 
when the i-node is allocated. A structure was defined for the cryptographic key and added 
to the file handle structure. 

Other changes include the addition of various header files for the encryption and 
hash algorithms, our LCG operations, additional ioctl( ) commands, and our index entry 
spreading functions. The actual operation and implementation of these functions are 
described below. 

3.3 Cryptographic Support 

CamouflageFS uses the Blowfish encryption algorithm [ 1 5] to encrypt each block of data, 
and can use either SHA- 1 or an adaptation of RC6 during the calculation of the spread 
index entries. Code for these algorithms is publicly available and most was adapted for 
use from the versions found in the Linux 2.5.49 kernel. 

3.4 Command and Control 

The ioctl() implementation for Ext2 was altered to interpret five new commands for 
controlling files that belong to CamouflageFS. The two most important commands are: 

1. EXT2JOCJENABLE_CAMOUFLAGE is a command that marks a file as being 
used by CamouflageFS. When a file is marked as part of the CamouflageFS, a random 
number is extracted from the kernel entropy pool and stored in the Lcamouflaged 
field of the i-node. This has the dual effect of marking the file and preparing the 
system to return random camouflage data in place of file holes. 

2. EXT2 JOC_SHOW_KEY_MATERIAL is the primary command for interacting with 
the file once it has been marked as a CamouflageFS file. This command is accom- 
panied by a key structure matching the one described above and is used during 
subsequent read or write operations on the file handle. Note that the supplied key 
could be incorrect; at no time is the genuine key stored on disk. 
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3.5 User Tools and Cryptographic Support 

Several user-level tools were developed to aid in the use of the system. These tools 
primarily wrap the ioctl() commands and other routine work of supplying a key and 
reading from or writing to a hie. A userland header hie ( cmgfs.h ) is provided to dehne 
the ioctl( ) commands and the hie key structure. 

The read( ) and write{ ) operations for Ext2 were augmented to use the provided key 
if necessary to decrypt or encrypt the hie data, respectively. Each page was encrypted or 
decrypted as a whole. Before a write could succeed, the page needed to be decrypted, 
the plaintext added at the appropriate position, and then the altered page data encrypted 
and written to disk. 



3.6 Index Mapping 

A variable length block cipher is utilized as a pseudo-random permutation (PRP) to map 
sequential block indices to ostensibly random indices. The underlying concept and jus- 
tification for the variable length block cipher construction of which the implementation 
in CamouflageFS is a particular instance is beyond the scope of this paper. While only 
the 28-bit PRP implemented for CamouflageFS is briefly described here, it should be 
noted the variable length block cipher can be built upon any existing block cipher and 
stream cipher. RC6 was chosen for this implementation because its construction makes 
it applicable to small block sizes and RC4 was utilized due to its simplicity. 

The PRP is an unbalanced Feistel network consisting of the RC6 round function 
combined with initial and end of round whitening. RC4 is used to create the expanded 
key. The PRP operates on a 28-bit block split into left and right segments consisting of 
16 bits and 12 bits, respectively. The RC6 round function is applied to the 16-bit segment 
using a word size of 4 bits. The number of rounds and specific words swapped after each 
round were chosen such that each word was active in 20 rounds, equally in each of the 
first four word positions. 

While the current mapping of block indices cannot be considered pseudo-random in 
theory, because the maximum length of an index is restricted to 28 bits in the hie system 
and thus an exhaustive search is feasible, the use of a variable length block cipher will 
allow support for longer indices when needed. 



3.7 Producing Camouflage Data 

Camouflage data is produced whenever an unallocated data block is pointed to by the 
file index. If the block is part of a hole and the file is camouflaged, then our LCG is 
invoked to provide the appropriate data. 

In order to avoid timing attacks, whereby an attacker can determine whether a block 
contains real (encrypted) or camouflaged data based on the time it took for a request 
to be completed, we read a block from the disk before we generate the camouflage 
data. The disk block is placed on the file cache, so subsequent reads for the same block 
will simulate the effect of a cache, even though the data returned is camouflage and 
independent of the contents of the block that was read from disk. 
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Finally, notice that camouflage data is only produced when an attacker (or curious 
user) is probing the protected file — under regular use, no camouflaged data would be 
produced. 



4 Performance Evaluation 

To test the performance of the system, we compared three implementations of Ext2. The 
first implementation was the standard Ext2. The second implementation modified Ext2 
to use the Blowfish algorithm to encrypt data inside the kernel. The third implementa- 
tion was CamouflageFS and incorporated our techniques along with encryption under 
Blowfish. In all cases, performance (measured by the amount of time to read or write 
a file) is largely dependent on file size. Execution time was measured with the Unix 
time(l) utility; all file sizes were measured for ten runs and the average is recorded in 
the presented tables. 

The primary goal of our performance measurements on the CamouflageFS prototype 
is to show that the work necessary for a brute force attack can be exponentially increased 
without a legitimate user having to significantly increase the amount of time it takes to 
read and write data files, which is shown in Figure 6. 



file size (kb) 


ext2 R 


ext2 W 


BFR 


BFW 


cmgfs R 


cmgfs W 


1 


0.002 


0.001 


0.003 


0.001 


0.003 


0.001 


21 


0.01 


0.001 


0.010 


0.002 


0.010 


0.002 


42 


0.02 


0.001 


0.020 


0.003 


0.003 


0.004 


63 


0.03 


0.001 


0.030 


0.004 


0.004 


0.005 


210 


0.09 


0.002 


0.094 


0.012 


0.206 


0.148 


2107 


0.8395 


0.008 


0.930 


1.096 


1.319 


1.105 


21070 


8.371 


0.071 


9.305 


11.019 


9.851 


11.047 


84280 


33.5 


55.17 


37.180 


65.416 


37.756 


67.493 



Fig. 6. Time to read and write various size files in our various ext2 file system implementations. 
All times are in seconds (s). 



Using a longer key contributes to the performance penalty. Most notably, a longer 
key length is achieved in 3DES by performing multiple encrypt and decrypt operations 
on the input. This approach is understandably quite costly. A second approach, used 
in AES- 128, simply uses a number of extra rounds (based on the keysize choice) and 
not entire re-runs of the algorithm, as with 3DES. Blowfish takes another approach, by 
effectively expanding its key material to 448 bits, regardless of the original key length. 
The performance impact of encryption (using Blowfish) on ext2fs is shown in the second 
set of columns in Figure 6. 

Therefore, we want to show that CamouflageFS performs nearly as well as ext2 read( ) 
and write() operations that use Blowfish alone. Using our prototype implementation, 
the performance is very close to that of a simple encrypting file system, as shown in 
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Figure 6. However, we have increased the effective cryptographic key length by 28 bits, 
correspondingly increasing an attacker’s work factor by 2 28 . 

The CamouflageFS numbers closely match the performance numbers for a pure 
kernel-level Blowfish encryption mechanism, suggesting that the calculation of a new 
index has a negligible impact on performance. For example, the performance overhead 
(calculated as an average over time from Figure 7) of Blowfish is 1 1% for read() op- 
erations and 17% for write() operations. CamouflageFS exhibits essentially the same 
performance for these operations: 12% for read ()’ s and 22% for write()’s. 




Fig. 7. Comparison of ext2 reads and writes versus CamouflageFS. CamouflageFS closely matches 
a file system that only performs encryption. 



5 Related Work 



The work presented in this paper draws on a number of research areas. Most notably, the 
recent work in information hiding and steganographic file systems serves the similar goal 
of hiding sensitive data. Our technique, on the other hand, combines steganography with 
the encryption mechanisms used by traditional cryptographic file systems to improve 
performance without the related cost. 
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5.1 Cryptographic File Systems 

Most related efforts on secure file systems have concentrated on providing strong data 
integrity and confidentiality. Further work concentrates on making the process transpar- 
ent or adjusting it for network and distributed environments. The original Cryptographic 
File System (CFS) [3] pointed out the need to embed file crypto services in the file 
system because it was too easy to misuse at the user or application layers. 

Cryptfs [18] is an attempt to address the shortcomings of both CFS and TCFS [5] by 
providing greater transparency and performance. GBDE [9] discusses practical encryp- 
tion at the disk level to provide long-term cryptographic protection to sensitive data. 

FSFS [12] is designed to deal with the complexities of access control in a cryp- 
tographic file system. While the primary concern of CamouflageFS is the speedup of 
data file encryption, file system access control mechanisms are another related area that 
benefits from applied cryptography. 

The Cooperative File System [6], like the Eliot [16] system are examples of file 
systems that attempt to provide anonymity and file survivability in a large network of 
peers. The Mnemosyne [7] file system takes this cause a step further, based on the work 
presented in [1], to provide a distributed steganographic file system. 



5.2 Information Hiding 

Information hiding, or steganography, has a broad range of application and a long history 
of use, mainly in the military or political sphere. Steganographic methods and tactics 
are currently being applied to a host of problems, including copyright and watermarking 
technology [14]. The survey by Petitcolas , Anderson, and Kuhn [14] presents an excellent 
overview of the field. Anderson [2] constructs a background for steganographic theory 
as well as examining core issues in developing steganographic systems. 

Recently, the principles of information hiding have been applied to creating stegano- 
graphic file systems that provide mechanisms for hiding the existence of data. 



5.3 Steganographic File Systems 

Steganographic file systems aim to hide the presence of sensitive data. While some im- 
plementations merely hide the data inside other files (like the low-order bits of images), 
other systems use encryption to not only hide the data, but protect it from access attempts 
even if discovered. This hybrid approach is similar to CamouflageFS. 

StegFS [13,1] is one such steganographic file system. The primary goal of StegFS 
is to provide (and in some sense define) legal plausible deniability of sensitive data on 
the protected disk, as proposed and outlined by Anderson et al [ 1 ] . Unfortunately, using 
StegFS ’s strong security results in a major performance hit [13]. StegFS is concerned 
with concealing the location of the disk blocks that contain sensitive data. In short, StegFS 
acts as if two file systems were present: one file system for allocating disk blocks for 
normal files, and one file system for allocating blocks to hidden files using a 15 level 
access scheme. The multiple levels allow lower or less-sensitive levels to be revealed 
under duress without compromising the existence of more sensitive files. 
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Each of these two file systems uses the same collection of disk blocks. Normal files 
are allowed to overwrite the blocks used for hidden file data; in order to protect the 
hidden files, each block of a hidden file is mapped to a semi-random set of physical 
blocks. Since each disk block is initialized with random data, the replication makes the 
sensitive data appear no different than a normal unallocated disk block while ensuring 
that the hidden data will survive allocation for normal files. 

6 Future Work 

The work presented here can be extended to other operating systems and file systems. 
For example, OpenBSD provides a wide array of cryptographic support [10]. Further 
work includes performing standard file system benchmarks and implementing AES as 
a choice of cipher. 

Beyond this work, there are two primary issues to be addressed: preventing both 
collisions in the spreading schedule and an attacker’s discernment of camouflage data. 

The use of a variable length block cipher to calculate the virtual index should address 
the possibility of collisions; however, as noted previously, the length should be increased 
to lessen the possibility of a brute force attack. The length of 28 bits in our implementation 
is an architecture and operating system limitation. 

To prevent an attacker from knowing which data was actually camouflage, we would 
have to create some mechanism whereby the Lcamouflaged field is updated at some rate 
to “stir” the entropy source of the camouflage data. 

Further work includes both examining the feasibility of various attack strategies 
against the system and discovering what effect (if any) the spreading schedule has on 
the placement of data on disk. There should be little impact on performance here; the 
virtual index is relatively independent of what disk blocks contain the data. 

7 Conclusions 

CamouflageFS is a simple, portable, and effective approach to improving data confiden- 
tiality in cryptographic file systems. The approach taken is to hide the encrypted data in 
an artificially large file, using a key-driven spread-spectrum sequence. Attackers must 
guess both the cryptographic key and the spreading key, effectively increasing their 
work factor. Appropriate measures are taken to prevent an attacker from determining 
which disk blocks contains encrypted data. The performance impact of the technique to 
legitimate users is negligible. 

We intend to investigate further applications of this practical combination of stegano- 
graphic and cryptographic techniques for improving security in other areas. 
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Abstract. We propose a new keyword-based Private Information Retrieval (PIR) 
model that allows private modification of the database from which information 
is requested. In our model, the database is distributed over n servers, any one 
of which can act as a transparent interface for clients. We present protocols that 
support operations for accessing data, focusing on privately appending labelled 
records to the database (push) and privately retrieving the next unseen record 
appended under a given label (pull). The communication complexity between 
the client and servers is independent of the number of records in the database 
(or more generally, the number of previous push and pull operations) and of 
the number of servers. Our scheme also supports access control oblivious to the 
database servers by implicitly including a public key in each push, so that only the 
party holding the private key can retrieve the record via pull. To our knowledge, 
this is the first system that achieves the following properties: private database 
modification, private retrieval of multiple records with the same keyword, and 
oblivious access control. We also provide a number of extensions to our protocols 
and, as a demonstrative application, an unlinkable anonymous communication 
service using them. 



1 Introduction 

Techniques by which a client can retrieve information from a database without expos- 
ing its query or the response to the database was initiated with the study of oblivious 
transfer [17]. In the past decade, this goal has been augmented with that of minimiz- 
ing communication complexity between clients and servers, a problem labelled Private 
Information Retrieval (PIR) [8], To date, PIR has received significant attention in the 
literature, but a number of practically important limitations remain: queries are limited 
to returning small items (typically single bits), data must be retrieved by address as 
opposed to by keyword search, and there is limited support for modifications to the 
database. Each of these limitations has received attention (e.g., [9,8,14,6]), but we are 
aware of no solution that fully addresses these simultaneously. 

In this extended abstract we present novel protocols by which a client can privately 
access a distributed database. Our protocols address the above limitations while retaining 
privacy of queries (provided that at most a fixed threshold t of servers is compromised) 
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and while improving client-server communication efficiency over PIR solutions at the 
cost of server-server communication. Specifically, the operations we highlight here in- 
clude: 

- push In order to insert a new record into the database, the client performs a push 
operation that takes a label, the record data, and a public key as arguments. 

- pull To retrieve a record, a client performs a pull operation with a label and a 
private key as arguments. The response to a pull indicates the number of records 
previously pushed with that label and a corresponding public key, and if any, returns 
the first such record that was not previously returned in a pull (or no record if they 
all were previously returned). 

Intuitively, the pull operation functions as a type of "dequeue” operation or list iterator: 
each successive pull with the same label and private key will return a new record pushed 
with that label and corresponding public key, until these records are exhausted. We 
emphasize that the above operations are private, and thus we call this paradigm Private 
Push and Pull (P 3 ). 

As an example application of these protocols, suppose we would like to construct a 
private bulletin board application. In this scenario, clients can deposit messages which 
are retrieved asynchronously by other clients. An important requirement is that the 
communication between senders and receivers remains hidden to the database servers, a 
property called unlinkability. Clients encrypt messages for privacy, and label them with 
a keyword, the mailbox address of the recipient. If multiple clients send messages to the 
same recipient, there exist multiple records in the database with the same keyword. We 
would like to provide the receiver with a mechansim to retrieve some or all the messages 
from his mailbox. Thus, the system should allow insertion and retrieval of multiple 
records with the same keyword. Another desirable property would be to provide oblivious 
access control , such that a receiver can retrieve from its mailbox only if he knows a 
certain private key. In addition, the database enforces the access control obliviously, i.e., 
the servers do not know the identity of the intended recipient. All these properties are 
achieved by our P 3 protocols and the construction of such a private bulletin board is an 
immediate application of these protocols. 

Our protocols have additional properties. Labels in the database, arguments to push 
and pull requests, and responses to pull requests are computationally hidden from up to t 
maliciously corrupted servers and any number of corrupted clients. The communication 
complexity incurred by the client during a push or pull operation is independent of both 
the number of servers and the number of records in the database, and requires only a 
constant number of ciphertexts. While communication complexity between the servers 
is linearly dependent on both the number of servers and the number of records in the 
database, we believe that this tradeoff — i.e,, minimizing client-server communication at 
the cost of server-server communication — is justified in scenarios involving bandwidth- 
limited or geographically distant clients. 

Beyond our basic push and pull protocols, we will additionally provide a number of 
enhancements to our framework, such as: a peek protocol that, given a label and private 
key, privately retrieves the i-th record pushed with that label and corresponding public 
key; a modification to pull to permit the retrieval of arbitrary-length records; and the 
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ability to perform a pull based not only on identical label matching, but based on any 
predicate on labels (with additional cost in server-server communication complexity). 

We define security of the P 3 protocols in the malicious and honest-but-curious adver- 
sary models. The definition of security that we employ is very similar to the definition 
of secure multi-party computation [11]. Proofs that P 3 satisfies the definition of security 
in the malicious adversary model will be given in the full version of the paper. We also 
propose a more efficient P 3 protocol that is secure in the honest-but-curious model. We 
thus achieve a tradeoff between the level of security guaranteed by our protocols and 
their computational complexity. 

To summarize, the contributions of our paper are: 

- The definition of a new keyword-based Private Information Retrieval model 

Our model extends previous work on P1R in several ways. Firstly, we enable private 
modification of the database, where the database servers do not learn the modified 
content. Secondly, we allow retrieval of a subset or all records matching a given 
keyword. And, finally, we provide oblivious access control, such that only the in- 
tended recipients can retrieve messages and the servers do not know the identity of 
message recipients. 

- The construction of secure and efficient protocols in this model 

We design P 3 protocols, that achieve a constant communication complexity (in 
number of ciphertexts) between the clients and the servers and that are provably 
secure in the malicious adversary model. 

- The design of an unlinkable [16] anonymous messaging service using the new pro- 
posed protocols 

The anonymous messaging service we design is analogous to a bulletin board, where 
clients deposit messages for other clients, to retrieve them at their convenience. The 
security properties of the P 3 protocols provide the system with unlinkability. 



2 Related Work 

As already mentioned, our P 3 primitive is related to other protocols for hiding what 
a client retrieves from a database. In this section we differentiate P 3 from these other 
protocols. 

Private information retrieval (PIR) [9,8,3] enables a client holding an index i, 1 <i< 
d, to retrieve data item i from a cl- item database without revealing i to the database. This 
can be trivially achieved by sending the entire database to the client, so PIR mandates 
sublinear (and ideally polylogarithmic) communication complexity as a function of d. 
Our approach relaxes this requirement for server-to-server communication (which is not 
typically employed in PIR solutions), and retains this requirement for communication 
with clients; our approach ensures client communication complexity that is independent 
of d. In addition, classic PIR does not address database changes and does not support 
labelled data on which clients can search. 

Support for modifying the database was introduced in private information stor- 
age [14]. This supports both reads and writes, without revealing the address read or 
written. However, it requires the client to know the address it wants to read or write. P 3 
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eliminates the need for a client to know the address to read from, by allowing retrieval 
of data as selected by a predicate on labels. P 3 does not allow overwriting of values, but 
allows clients to retrieve all records matching a given query. 

The problem of determining whether a keyword is present in a database without 
revealing the keyword (and again with communication sublinear in (!) is addressed in [6] . 
The P 3 framework permits richer searches on keywords beyond identical matching — 
with commensurate additional expense in server complexity — though P 3 using identical 
keyword matching is a particularly efficient example. Another significant difference is 
that P 3 returns the data associated with the selected label, rather than merely testing for 
the existence of a label. 

Also related to P 3 is work on oblivious keyword search [ 13], which enables a client to 
retrieve data for which the label identically matches a keyword. Like work on oblivious 
transfer that preceded it, this problem introduces the security requirement that the client 
learn nothing about the database other than the record retrieved. It also imposes weaker 
constraints on communication complexity. Specifically, communication complexity be- 
tween a client and servers is permitted to be linear in d. 

3 Preliminaries 

A public -key cryptosystem is a triplet of probabilistic algorithms (G, E, D) running in 
expected polynomial time. G{\^- £ ) is a probabilistic algorithm that outputs a pair of 
keys (pk, sk), given as input a security parameter np£. Encryption, denoted as E p k(rn), 
is a probabilistic algorithm that outputs a ciphertext c for a given plaintext to. The 
deterministic algorithm for decryption, denoted as D s k(c), outputs a decryption to of c. 
Correctness requires that for any message to, D s k(E p k(m )) = to. 

The cryptosystems used in our protocols require some of the following properties: 

- message indistinguishability under chosen plaintext attack (IND-CPA security) [12]: 
an adversary is given a public key pk, and chooses two messages mo, mi from the 
plaintext space of the encryption scheme. These are given as input to a test oracle. The 
test oracle chooses b {0, 1} and gives the adversary E p k(nib). The adversary 
must not be able to guess b with probability more than negligibly different from 

- (t, n) threshold decryption: a probabilistic polynomial-time (PPT) share-generation 
algorithm S, given pk, sk, t, n, outputs private shares ski, • • • , sk n such that parties 
who possess at least t + 1 shares and a ciphertext c can interact to compute D s p (c) . 
Specifically we require (n — 1 ,n) threshold decryption, where the private shares 
are additive over the integers, such that sk = XwLi s ^i- 

- threshold IND-CPA security [10]: the definition for threshold IND-CPA security is 
the same as for normal IND-CPA security, with minor changes. Firstly, the adversary 
is allowed to choose up to t servers to corrupt, and observes all of their secret 
information, as well as controlling their behaviour. Secondly, the adversary has 
access to a partial decryption oracle, which takes a message m and outputs all n 
shares (constructed just as decryption proceeds) of the decryption of an encryption 
of m. 

- partial homomorphism: there must be PPT algorithms + p k , — p k , 'pk for addi- 
tion and subtraction of ciphertexts, and for the multiplication of a known constant by 
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a ciphertext such that for all a, b, in the plaintext domain of the encryption scheme, 
c £ Z, such that the result of the desired operation is also in the plaintext domain 
of the encryption scheme: 

D s k(Epfc((l) ~\~pk EphiJj)') = CL -T b 
D.sk (-bpk (d) pk Epk(b)^ = Q, b 

D s k(c ' pk Epkisb)) = ca 

- blinding: there must be a PPT algorithm Blind,,/,, which, given a ciphertext c which 
encrypts message m, produces an encryption of to, pulled from a distribution which 
is uniform over all possible encryptions of to. 

- indistinguishability of ciphertexts under different keys (key privacy) [1]: the adver- 
sary is given two different public keys pko,pki and it chooses a message from the 
plaintext range of the encryption scheme considered. Given an encryption of the 
message under one of the two keys, chosen at random, the adversary is not able 
to distinguish which key was used for encryption with probability non-negligibly 
higher than | . 



3.1 Notation 

- a||fe denotes the concatenation of a and b; 

- x <— D denotes that x is sampled from the distribution I); 

- x denotes an encryption of x under an encryption scheme, that can be inferred from 
the context; 

- £ = ( G,E,D ), an IND-CPA secure, partially homomorphic encryption scheme, 
for which we can construct proofs of plaintext knowledge and blind ciphertexts. For 
the construction in Sec. 5, we also require the key privacy property. The security 
parameter for £ is denoted as ng. 

- T£ = (G h . E h , thresh Decrypt), a threshold decryption scheme, which is thresh- 
old IND-CPA secure. threshDecrypt is a distributed algorithm, in which each party 
uses its share of the secret key to compute a share of the decryption. In addition, it 
should have the partial homomorphic property and we should be able to construct 
proofs of plaintext knowledge. The security parameter for T£ is denoted as n-pg • 

- Mp k denotes the plaintext space of the encryption scheme £ for public key pk. 

- II = zkp[p] denotes the zero-knowledge proof of predicate p, 1 1 - zkpk[p] denotes 
the zero-knowledge proof of knowledge of p 

3.2 Paillier 

The Paillier encryption scheme defined in [15] satisfies the first six defined properties. 
In the Paillier cryptosystem, the public key is an RSA-modulus N and a generator g 
that has an order a multiple of N in In order to encrypt a message m £ Z/v, a 
random r is chosen in Z/v, and the ciphertext is c = g m r N mod N 2 . In this paper, we 
will consider the plaintext space for the public key (N, g) to be M^ N g ) = ^ , y ) so 

that we can safely compute —x, given x in the plaintext space. 
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For the construction in Sec. 5, we need key privacy of the encryption scheme used. 
In order to achieve that, we slightly modify the Paillier scheme so that the ciphertext is 
c + fiN , where p is a random number less than a threshold T = - A , 2 (kts is the 
security parameter). 

The threshold Paillier scheme defined in [10] can be easily modified to use additive 
shares of the secret key over integers (as this implies shares over NX{N), and thus with 
the modification given above, satisfies the properties required for T£. 

The unmodified Pailler cryptosystem satisfies the requirements for £. Zero- 
knowledge proofs of plaintext knowledge are given in [7]. 



3.3 System Model 

We denote by n the number of servers, and t the maximum number that may be corrupted. 
Privacy of the protocols is preserved if t < n. 

Assuming the servers may use a broadcast channel to communicate, every answer 
returned to a client will be correct if 7 < n or all servers are honest-but-curious. This 
does not, however, guarantee that an answer will be given in response to every query. 
If every server may act arbitrarily maliciously (Byzantine failures), a broadcast channel 
may be simulated if t < ^ . 

We do not address this issue in this paper, but liveness (answering every query) can 
be guaranteed with f < " if every misbehaving server is identified and isolated, and the 
protocol is restarted without them. Note that this may take multiple restarts, as not every 
corrupted server must misbehave at the beginning. 

In the malicious model, our protocols are simulatable [11], and thus the privacy of 
client queries, responses to those queries (including the presence or absence of infor- 
mation), and database records is preserved. In the honest-but-curious model, we may 
achieve this privacy property more efficiently. For lack of space, we defer the proofs to 
the full version of this paper. 

The database supports two types of operations. In a push operation, a client provides 
a public key pk, a label l, and data <5. In a pull operation, the client provides a secret 
key sk and a label x, and receives an integer and a data item in response. The integer 
should be equal to the number of previous push operations for which the label £ = x 
and for which the public key pk is the corresponding public key for sk. The returned 
data item should be that provided to the first such push operation that has not already 
been returned in a previous pull. If no such data item exists, then none is returned in its 
place. 



4 The P 3 Protocol 

We start the description of P 3 with the push protocol. Before going into the details of the 
pull protocol, we construct several building block protocols. We give several extensions 
to the basic protocols. We then analyze the communication complexity of the proposed 
protocols. At the end of the section, we suggest a more efficient implementation of our 
protocols in the honest-but-curious model. 
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In the protocols given in this paper, the selection predicate is equality of the given 
label x to the z th record label £, , under a given secret key sk. This selection predicate is 
evaluated using the protocol testRecord. The P 3 system can be modified by replacing 
testRecord with a protocol that evaluates an arbitrary predicate, e.g., using [7], 

4.1 Initial Service-Key Setup 

During the initial setup of a P 3 system, the servers collectively generate a public/private 
key pair (PK,SK) for the threshold encryption scheme T£, where PK is the public 
key, and the servers additively share the corresponding private key SK. We call the 
public/private key pair the system’s service key. We require that d < q,n-d-q 2 < 2 Kr£_1 , 
< 2 Kr£_1 , and 2 K£+1 + 3 • 2 2k£+2 < 2 KT£_1 so that the operations (presented 
next) over the message space (which is an integer interval of length about 2 KT£ , 
centered around 0) will not “overflow”. Here d denotes the number of records in the 
database, and q is a prime. 

For notational clarity, the protocols are given under the assumption that the data sent 
to the server in a push operation can be represented as an element of Z q . This can be 
trivially extended to arbitrary length records (see 4.5). 

4.2 The Private Push Protocol 

When a client C wants to insert a new record in the distributed database, it first generates 
a public key/secret key pair ( pk , sk) for the encryption scheme T£ and then invokes a 
push operation push PK (pk 1 £, 5). Here PK is the service key, £ is the label and <5 is the 
data to be inserted. The protocol is a very simple one and is given in Fig. 1 . H (■) « a 
cryptographically secure hash function, e.g., MD5. 

Note that the data is sent directly to the server, and thus if privacy of the contents of 
the data is desired, the data should be encrypted beforehand. 



push PK (pk,l, S) 

Client C computes y E^ k {£) and sends (y. H(<5)||<5) together with a zero knowledge 
proof of knowledge 77 = zkpk[Z : l £ Z q , Dsk(y) — l]. 

This server adds the tuple (y, (H(<5), 5), Ep K (l)) to the shared database. 



Fig. 1. The push protocol 



4.3 Building Block Protocols 

The Decrypt Share Protocol. When the decryptShare protocol starts, one of the servers 
receives a ciphertext c encrypted using the public key pk of the threshold homomorphic 
encryption scheme PS. It also receives an integer R representing a randomness range 
large enough to statistically hide the plaintext corresponding to c. We assume that the 
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servers additively share the secret key sk corresponding to pk, such that each server 
knows a share ski. After the protocol, the servers additively share the corresponding 
plaintext m. Each server will know a share m., such that Y^h= i m i = m an d it will 
output a commitment of this share (to,; = E^ k (iv,i)). The protocol is given in Fig. 2 and 
is similar to the Additive Secret Sharing protocol in [7]. 



decryptShare sfci sfcn (c, R) 

We assume that an arbitrary server holds c — assume it is Sj . 

1. For 1 < i < n. Si chooses m -t— [0, . . . , R], computes a <— Ep k (<n). 

2. For i = 1 , ,n. Si broadcasts d together with a zero knowledge proof of plaintext 
knowledge of a: Ili = zkpk[ai : a, 6 [0, . , , , R], D sk (d ) = a»]. 

3. All the servers check the zero knowledge proofs received from the other servers. If some 
proofs do not verify, then the servers that sent them are excluded from the protocol. 

4. Sj Computes C t C ~\~pk Cl ~\~pk C 2 ~\~pk ' ' ' ~\~pk Cn. 

5. All servers participate in m! = threshDecrypt sA;i skn (c'). 

6. The additive share of m for Sj is rrij = — a,j + m' and the commitment m.j can be 
computed as fhj = c' — pk Cj\ 

The additive share of m for Si, i ^ j is m, = — m and the commitment rhi can be 
computed as fru = — pk d. 



Fig. 2. The decryptShare protocol 



The Multiplication Protocol. The mult protocol receives as input two encrypted values 
x and y under a public key pk of the threshold homomorphic encryption scheme T£, 
and an integer R, used as a parameter to decryptShare. We assume that the servers 
additively share the secret key sk corresponding to pk, such that each server knows a 
share ski. The output of the protocol is a value 2 such that D sk (z) = xy. The protocol 
is given in Fig. 3 and is similar to the Mult protocol in [7]. 



mult pk (x,y,R) 

1. All the servers participate in decryptShare^ s k n (v^)’ ending with additive 
shares of y: yi, . . . , y n and commitments of these shares yi, , y. n ■ 

2. For 1 < i < n. Si computes ti = x ■ pk yi and broadcasts ti together with a zero 
knowledge proof of knowledge Ili = zkpk[j/i : D sk (yi) = yi,U = x ■ p k yi). 

3. All the servers check the zero knowledge proofs received from the other servers. If some 
proofs do not verify, then the servers that sent them are excluded from the protocol. 

4. The output of the protocol is z = fi + pk ... + P k t n . 



Fig. 3. The mult protocol 
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The Share Reduction Protocol. The shareModQ protocol receives as input a prime q, 
an encrypted value x under a public key pk of the threshold homomorphic encryption 
scheme T£, and an integer R, used as a parameter to decryptShare. We assume that 
the servers additively share the secret key sk corresponding to pk, such that each server 
knows a share ski. The output of the protocol is y st D sk (y) = D sk (x), y = y\ H — • + 
y n , yi £ h q . The protocol is given in Fig. 4. 



shareModQ pfc ( x,q,R ) 

1. All the servers participate in decryptShare^ (a;, 7?), ending with additive 
shares of x: xi, . . . , x n and commitments of these shares ah, , x n . 

2. For 1 < i < n. Si computes yi = x t mod q and broadcasts y t = EpkiVi) together 
with a zero knowledge proof of knowledge J7; = zkpk [xi,yi : y-, £ Z 9 , D s k(jji) = 
yi,D ak (xi) = Xi, yi = x t mod q], 

3. All the servers check the zero knowledge proofs received from the other servers. If some 
proofs do not verify, then the servers that sent them are excluded from the protocol. 

4. All the servers compute y = y\ + p k ... + p k y-n, which is the output of the protocol. 



Fig. 4. The shareModQ protocol 



The Modular Exponentiation Protocol. The expModQ protocol receives as input an 
encrypted value x under a public key pk of the threshold homomorphic encryption 
scheme T£, an integer exponent k and a prime modulus q, and and an integer R, used 
as a parameter to decryptShare. The output of the protocol is y such that D s p(y) = 
D sk (x) k . In addition, the decryption of y, y, can be written as y = yi + ■ ■ ■ + y n with 
y, £ Z q . We have thus the guarantee that 0 < y < (q — l)?z. The protocol is simply 
done by repeated squaring using the mult protocol. After each invocation of the mult 
protocol, a shareModQ protocol is executed. 

4.4 The Private Pull Protocol 

We have now all the necessary tools to proceed to the construction of the pull protocol. 
To retrieve the record associated with the label x encrypted under public key pk, the 
client C must know both x and the secret key sk corresponding pk. C encrypts both the 
label x and the secret key sk under the public service key PK and picks a public/secret 
key pair (pk' , sk') for the encryption scheme £. It then sends x, sk and pk' to an arbitrary 
server. 

Overview of the Pull Protocol. The servers will jointly compute a template T = 
(Ti, . . . , Tj), where d is the number of records in the database. The template is a series 
of indicators encrypted under pk', where Ti indicates whether x matches the label ( t 
under sk (threshDecrypt 3fe (£j) = x) and whether i is the first record that matches ti 
not previously read. This determines whether it should be returned as a response to the 
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query ( D s k'(Ti ) = 1) or not ( D s k'(Ti ) = 0 mod q ). The protocol returns to the client 
the template T and an encrypted counter, m that denotes the total number of records 
matching a given label. 

The protocol starts in step 2 (Figure 5) with the servers getting additive shares of 
the secret key sk, sent encrypted by the client. In step 3, several flags are initialized, the 
meaning of which will be explained in Sec. 4.4. Then, in step 4, it performs an iteration 
on all the records in the database, calculating the template entry for each record. In steps 
4(a)-4(e), for each record j in the database with the label encrypted under public key pkj , 
a decryption under the supplied key sk and re-encryption of the label is calculated under 
the service public key PK. In order to construct the template, the additive homomorphic 
properties of the encryption scheme T £ are used. For record j in the database, the servers 
jointly determine the correct template value (as explained above), using the building 
block testRecord. 

The return result is constructed by first multiplying each entry in the template with 
the contents of the corresponding record, and then adding the resulting ciphertexts using 
the additive homomorphic operation + p k' . At most one template value will hold an 
encryption of 1, so an encryption of the corresponding record will be returned. All other 
records will be multiplied by a multiple of q, and will thus be suppressed when the client 
performs D s k > (T) mod q. The bounds on the size of the plaintext range ensure that the 
encrypted value does not leave the plaintext range. 

An interesting observation is that our approach is very general and we could easily 
change the specification of the pull protocol, by just modifying the testRecord protocol. 
An example of this is given in Sec. 4.5, when we describe the peek protocol. 



Flags for Repeated Keywords. In this section we address the situation in which multiple 
records are associated with the same keyword under a single key. The protocol employs 
a flag /, which is set at the beginning of each pull invocation to an encryption of 1 under 
the public service key. / is obliviously set to an encryption of 0 mod q after processing 
the first record which both matches the label and has not been previously read. It will 
retain this value through the rest of the pull invocation. In addition, each record i in 
the database has an associated flag, f j. The decryption of r, ; is 1 if record i has not yet 
been pulled and 0 mod q afterwards. Initially, during the push protocol, fj is set to an 
encryption of 1. 



The testRecord Protocol. The equality test protocol, testRecord, first computes w 
(steps 1-2), such that 1 —pk w is an encryption of 1 if x = y mod q and an encryption 
of 0 mod q otherwise. In step 3, a flag s is computed as an encryption of 1 if the record 
matches the label, / = 1 (this is the first matching record), and r = 1 (this record has not 
been previously retrieved). We then convert s from an encryption under the service key 
PK to an encryption under the client’s key pk of the same plaintext indicator (0 mod q 
or 1). This is performed in steps 4-7 with result u. We then update the flags / and r, as 
well as the counter fix. Both r and / are changed to encryptions of 0 mod q if the record 
will be returned in the pull protocol. The new value of m is obtained by homomorphically 
adding the match indicator 1 ~pk w to the old value. 

The detailed pull and testRecord protocols are given in Figs. 5 and 6. 
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pull(sft, x,pk' , sk') 

The database, is a collection of d tuples {Dj = ( E pk . (lj), ej, fj = Ep K 
Here lj £ Z q and ej £ M p y can be parsed as ej = H(<5j)||5j 

1. C sends (pk' , x = Ep K (x), sk = Ep K (sk)) to an arbitrary server Sj, who broadcasts 
pk! . 

2. All the servers participate in decryptShare Sifl SKn ^ sk , 2 ^ and end with 

additive shares of sk\ ski, . . . , sk„ and commitments ski, . . . , sk n . 

3. An arbitrary sever computes / f?p K (l), fh <— E p y(0) and broadcasts them to all 
the servers. 

4. For 1 < j < d, do: 

a) The server that holds T>j = {E pk {lj), ej) broadcasts it; 

b) All the servers participate in decryptShare 3fci akn [E pk .{lj), and end 
with additive shares of £'•: I'ji, .... l! ]rl and commitments of these shares: 

I'jl, . . . , l'j n (lj = lj 44 sk = skj)\ 

c) Each server Si broadcasts jjji <— Ep K (I'ji), together with a zero knowledge proof 
of plaintext equality Eli = zkp[t/ji : Ds K (yji) = Vji, D ak (lji) = yji]; 

d) All the servers check the zero knowledge proofs received from the other servers. 
If some proofs do not verify, then the servers that sent them are excluded from the 
protocol; 

e) All the servers compute j/j = i/ji +pk ••• +pk i ljn\ 

f) All the servers participate in testRecordp*/ (PK, x, yj, f, fj, fh) to obtain 

( TjJ,r'j,fh ). 

g) Set the database tuple T>j to be (E pk . (lj), ej,f'j). 

(the template is (Ti, T 2 , . . . , T,i)) 

5. An arbitrary server computes T = (Ti - p y ei) + p y ••• + p y (Td - p y e^) and 
sends T and m to C. 

6. C computes e <— D s y ( T ) mod q,m <— D a y (fh) mod q and parses e as e = (r, 5). 

- if m — 0, output none; 

- otherwise, check r = H(c5) and if this holds, output data S and m number of 
matches; 

- if consistency check does not hold, output error. 



Fig. 5. The pull protocol 



4.5 Extensions 

Data of Arbitrary Length. The protocols given above can be extended to record data 
of arbitrary length as follows. First, the push operation can be naturally extended to 
include multiple data items, e.g., push(E^ p fc(£), <5i , Sk). Next, step 4 in the pull pro- 
tocol (Fig. 5) can be performed for each of the k data items, using the same template 
(Ti, Ef). Note that this does not increase the communication complexity among the 
servers. This is particularly efficient for large data records. For example, if the Paillier 
system is used, then the client/server communication complexity is asymptotically twice 
the actual data size transmitted. 
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testRecord p fc(PK, x, y, /, r, m) 

1. All the servers participate in z <— shareModQpx (x —pk y, q, ^37 ^ • 

2. All the servers participate in to «— expModQ PA ^ z , q — 1, q, ■ 

3. All the servers participate in g <— multpp ^1 —pk w, f, j 
and s <— multpp: (p,/, 

4. All the servers participate in decryptShare SKl 2< ~ n ~^ f 9 ^ and end up 

with shares si, . . . , s n and commitments si, . . . , s n . 

5. Si computes w; «— E p k(si),i = 1, ..., n. Then, <S; broadcasts it; together with a zero 
knowledge proof 77; = zkp[7; : D s t(ui) = Si, Ds K (si) = s;]. 

6 . All the servers check the zero knowledge proofs received from the other servers. If some 
proofs do not verify, then the servers that sent them are excluded from the protocol. 

7. All the servers compute u = ui + p k U 2 + P k ■ ■ ■ + P k u n - 

8. f' <- multp/c [r, 1 pk s, 2(n ~* ) i‘ q2 ^ , 

f <- multpK {j, I pk g, 2(71 ~^t q ^ • 

9. The servers get a re-encryption of 1 — w under public key pk', analogously to steps 4-6 
above. Denote the additive shares by hi, ... ,h n and the encryption of 1 — w under 
pk' by h. Then, the servers update fh' m + p k h. 

10. The output of the protocol is the tuple (u, f', r, m'). 



Fig. 6. The testRecord protocol 



The Peek Protocol. In order to retrieve a matching record by index, here we sketch a 
peek protocol, which can be easily derived from the pull protocol. 

In addition to the parameters to the pull protocol, the peek protocol includes a flag i, 
which is an encryption of the desired index i under the public service key. The database 
will return the i ^ record matching label i or 0, if this does not exist, as well as the 
number of records matching the label. The flags f 3 for each record and the flag / are not 
used in this version of the protocol. In step 4(f) the parameters passed to the testRecord 
protocol are PK, x, y :) . and i. These are the only changes to the pull protocol. 

The servers obliviously decrement i at each match found in the database, and re- 
turn the record at which i becomes an encryption of 0. After steps 1-2 in testRecord, 
we test if i is an encryption of 0. We insert a step 2’ after step 2, in which e 3— 
expModQ FA - (i, q — 1, q, is computed. 1 —pk e is an encryption of 1 if i = 0. 

Step 3 changes to t 7— multp A —pk w, 1 — pk e, 2 ^ n j L | q ^ . Steps 4-7 remain 
the same. In step 8, we update the value of the index to i —pk (I -~pk w). 

Beyond Exact Label Matching. We have described our push and pull protocols in terms 
of exact label matching, though this can be generalized to support retrieval based on 
other predicates on labels. Specifically, given a common predicate 77, on a pull request 
with label a’ the servers could use secure multiparty computation (the techniques in [7] 
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are particularly suited in our setting) to compute the template (T), . . . ,Td) indicating 
the records for which the labels match x under predicate 77. 



4.6 Efficiency 

Our push, pull and peek protocols achieve a constant communication complexity in 
ciphertexts between the client and the servers. The communication among the servers 
in the pull protocol is proportional to the number of records in the distributed database 
and the number of servers. 

We achieve a tradeoff between the level of security obtained by our protocols and 
their computational and communication complexity. If complexity is a concern, then 
more efficient protocols can be constructed by removing the zero-knowledge proofs and 
the value commitments generated in the protocols. Using standard techniques, we could 
show that the protocols constructed this way are secure in the honest-but-curious model. 
However, due to space limitations, we do not address this further in the paper. 



5 Asynchronous Anonymous Communication 

P 3 potentially has many uses in applications where privacy is important. As an example, 
in this section we outline the design of a simple anonymous message service using P 3 
as a primitive. This message service enables a client to deposit a message for another 
client to retrieve at its convenience. 

The messaging scheme is as follows: 

- A sender uses the push protocol to add a label, encrypted under the receiver’s public 
key, and a message to the database. In this context we call the label a mailbox address. 

• The message should be encrypted for privacy from the servers. 

• The mailbox address can either be a default address or one established by agree- 
ment between the sender and receiver. This agreement is necessary so that the 
receiver may retrieve the message. 

- A receiver uses the pull or peek protocol to retrieve messages sent to a known 
mailbox address under his public key. 

Because messages will accumulate at the servers, they may wish to determine some 
schedule on which to delete messages. Reasonable options include deleting all messages 
at set intervals, or deleting all messages of a certain set age. 

Privacy. We achieve the content privacy and unlinkability anonymity properties as 
described in [9]. If the sender encrypts the message submitted to the servers, the servers 
cannot read the message, and thus achieves content privacy. Unlinkability concerns the 
ability for the servers to determine which pairs of users (if any) are communicating. As 
the P 3 servers can not determine the public key under which a label was encrypted, the 
label itself, or the text of the message, it has no advantage in determining the intended 
recipient of a message. Nor can they determine which message a client retrieved, if any, 
or even if a message has been retrieved by any client at any past time. Thus the servers 
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have no advantage in determining which client was the actual recipient of any given 
message. 

As well as these properties, we achieve anonymity between senders and receivers. 
Any party may either retain this anonymity, or identify himself to other parties. 

Senders are by default anonymous to receivers if they address their message to the 
default mailbox address. Note that the key with which they addressed their message 
is invisible to the recipient, and so a recipient cannot give a certain public key to a 
certain sender to abridge their anonymity. A sender may construct an anonymous return 
address, for use in addressing return messages, by encrypting an appropriate label under 
the sender’s own public key. As we require key privacy of the cryptosystem used, the 
receiver cannot link the public key used to the identity of the sending party. A sender 
may sign their messages using a key to which they have attached an identity, if they do 
not wish to be anonymous. 

Asynchronous Communication. Our system also benefits from the property of asyn- 
chrony, meaning that the senders and receivers do not have to be on-line simultaneously 
to communicate. The system is analogous to a bulletin board, where senders deposit 
messages and from which receivers retrieve them in a given interval of time. From this 
perspective, our system offers a different type of service than most prior approaches 
to anonymous communication (e.g., [4,16,5,19,18]) which anticipate the receiver being 
available when the sender sends. A notable exception is [9], which bears similarity to our 
approach. However, our use of P 3 permits better communication complexity between 
the clients and servers than does the use of PIR in [9], 

6 Conclusion 

We defined the Private Push and Pull (P 3 ) architecture. This allows clients to privately add 
(through the push protocol) and retrieve (through the pull or peek protocols) records 
in the database through transparent interaction with any of the distributed database 
servers. Under the protocols given, the servers identify which record is to be returned 
through keyword matching under a particular secret key. If at most t of n servers are 
actively corrupted, the keyword, key, and return result of a pull or peek protocol is 
computationally hidden from the servers, and any number of colluding clients. 

Client communication in P 3 is independent of both the size of the database and the 
number of database servers, and requires only the number of ciphertexts corresponding to 
encryption of the data. Communication between the servers is linear in both the number 
of records in the database and the number of servers. 

Using these protocols, we suggest an implementation of an anonymous messaging 
system. It achieves unlinkability, but both sender and receiver anonymity can be achieved 
through slight modifications. 
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Abstract. We study the setting in which a user stores encrypted doc- 
uments (e.g. e-mails) on an untrusted server. In order to retrieve doc- 
uments satisfying a certain search criterion, the user gives the server 
a capability that allows the server to identify exactly those documents. 
Work in this area has largely focused on search criteria consisting of a 
single keyword. If the user is actually interested in documents contain- 
ing each of several keywords ( conjunctive keyword search) the user must 
either give the server capabilities for each of the keywords individually 
and rely on an intersection calculation (by either the server or the user) 
to determine the correct set of documents, or alternatively, the user may 
store additional information on the server to facilitate such searches. Nei- 
ther solution is desirable; the former enables the server to learn which 
documents match each individual keyword of the conjunctive search and 
the latter results in exponential storage if the user allows for searches on 
every set of keywords. 

We define a security model for conjunctive keyword search over en- 
crypted data and present the first schemes for conducting such searches 
securely. We propose first a scheme for which the communication cost is 
linear in the number of documents, but that cost can be incurred “of- 
fline” before the conjunctive query is asked. The security of this scheme 
relies on the Decisional Diffie-Hellman (DDH) assumption. We propose a 
second scheme whose communication cost is on the order of the number 
of keyword fields and whose security relies on a new hardness assumption. 

Keywords: Searching on encrypted data. 



1 Introduction 

The proliferation of small hand-held devices and wireless networking enables 
mobile users to access their data at any time and from anywhere. For reasons 
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of cost and convenience, users often store their data not on their own machine, 
but on remote servers that may also offer better connectivity. When the server is 
untrusted, users ensure the confidentiality of their data by storing it encrypted. 

Document encryption, however, makes it hard to retrieve data selectively 
from the server. Consider, for example, a server that stores a collection of en- 
crypted emails belonging to a user. The server is unable to determine the subset 
of encrypted emails defined by a search criteria such as “urgent e-mail” or “e-mail 
from Bob”. 

The first practical solution to the problem of searching encrypted data by 
keyword is given in [15]. Documents and keywords are encrypted in a way that 
allows the server to determine which documents contain a certain keyword W 
after receiving from the user a piece of information called a capability for keyword 
W. The capability for W reveals only which documents contain keyword W and 
no other information. Without a capability, the server learns nothing about 
encrypted documents. Recent improvements and extensions to this scheme are 
given in [3,9,17]. 

A limitation common to all these schemes is that they only allow the server 
to identify the subset of documents that match a certain keyword, but do not 
allow for boolean combinations of such queries. Yet boolean combinations of 
queries appear essential to make effective use of a document repository, since 
simple keyword search often yields far too coarse results. For example, rather 
than retrieving all emails from “Bob”, a user might only want those emails from 
Bob that are marked urgent and pertain to finance, in which case what is needed 
is the ability to search on the conjunction of the keywords, “Bob”, “urgent” and 
“finance” . 

In this paper, we propose protocols that allow for conjunctive keyword queries 
on encrypted data. Although such conjunctive searches certainly do not encom- 
pass all possible search criteria, we believe that they are a crucial building block 
as indicated by the reliance of today’s web search engines on conjunctive search 
(see, for example [10]). To motivate the problem of conjunctive search further, 
and illustrate the difficulties it raises, we briefly review two simple solutions and 
explain why they are unsatisfactory: 

— Set intersection. A first approach to the problem of conjunctive keyword 
search is to build upon the simple keyword search techniques of [15] . Given a 
conjunction of keywords, we may provide the server with a search capability 
for every individual keyword in the conjunction. For every keyword, the 
server finds the set of documents that match that keyword, then returns the 
intersection of all those sets. This approach is flawed because it allows the 
server to learn a lot of extra information in addition to the results of the 
conjunctive query. Indeed, the server can observe which documents contain 
each individual keyword. Over time, the server may combine this information 
with knowledge of statistically likely searches to infer information about the 
user’s documents. 

— Meta-keywords. Another approach is to define a meta-keyword for ev- 
ery possible conjunction of keywords. Like regular keywords, these meta- 
keywords can be associated with documents. For example, a document that 
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contains the keywords “Bob”, “urgent” and “finance” may be augmented 
with the meta-keyword “Bob: urgent: finance”. With the techniques of [15], 
meta-keywords allow for conjunctive keyword search. The obvious drawback 
of this approach is that a document that contains m keywords requires an 
additional 2 m meta-keywords to allow for all possible conjunctive queries. 
This leads to an exponential (in m) blow-up in the amount of data that must 
be stored on the server. 

These two failed approaches illustrate the twin requirements of conjunctive 
search protocols: security and efficiency. The first contribution of this paper is to 
formalize these goals. Specifically, we define a formal security model for conjunc- 
tive keyword search on encrypted data. This security model states, essentially, 
that the server should learn nothing other than the result of the conjunctive 
query. In particular, the server should not be able to generate new capabilities 
from existing capabilities, other than logical extensions, such as using a capabil- 
ity for W\ and a capability for W 2 to generate a capability for W\ A W 2 . Recall 
that security is only considered in the context of single keyword search in [3,15, 
9], and so our definitions present a significant extension to prior security models. 

We present two schemes that provably meet our definition of security. Both 
of our schemes come with a moderate storage cost. Our first scheme incurs a 
communication cost per query that is linear in the number of documents stored. 
However, the linear portion of this cost may be pre-transmitted and a constant 
size cost can then be paid when the user decides which query is of interest. 
Our second scheme works in groups for which there exists an admissible bilinear 
map [13,2] and relies on a new hardness assumption for its security. This scheme 
has the desirable attribute of requiring only constant communication with no 
need for pre-transmissions. 

Overview. This paper is organized as follows. In Section 1.1 we discuss related 
work. Section 2 covers our notation, security definitions and hardness assump- 
tions. We present a scheme for conjunctive search with amortized linear cost in 
Section 3 and a scheme with constant cost in Section 4. We conclude in Section 5. 



1.1 Related Work 

In [15], Song, Wagner and Perrig study a model of secure search over encrypted 
data that is similar to ours in that they consider a bandwidth constrained user 
who stores documents on an untrusted server. When the user needs all docu- 
ments containing a certain keyword he provides the server with a small piece 
of information (called a capability) that enables the server to identify the de- 
sired (encrypted) documents. They propose an efficient, secret key method for 
enabling single keyword search that is provably secure. However, they do not 
provide a method for secure conjunctive search and it is hard to see how their 
techniques might be extended to accomplish this because their capabilities are 
deterministic and thus can potentially be combined to generate new capabilities. 
In our schemes we use modular exponentiation (hence, we incur more compu- 
tational cost than [15]) and randomization of the capabilities to ensure that a 
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capability to search for documents containing both keyword W\ and keyword 
W ‘2 is incompatible with a capability for W \ , and thus can’t be used to generate 
a capability for W 2 . 

The use of search over encrypted data in file-sharing networks is investigated 
in [4], where a secret key system enabling sharing of, and searching for, encrypted 
data is described. 

In [9], Golr presents an efficient scheme for keyword search over encrypted 
data using Bloom filters. Determining whether a document contains a keyword 
can be done securely in constant time, however, the scheme does not support 
secure conjunctive search. 

The first public key schemes for keyword search over encrypted data are 
presented in [3] . The authors consider a setting in which the sender of an email 
encrypts keywords under the public key of the recipient in such a way that 
the recipient is able to give capabilities for any particular keyword to their mail 
gateway for routing purposes. Conjunctive keyword search is not supported in [3] . 
An efficient implementation of a public key scheme for keyword search tailored 
for documents that are the audit trails of users querying a database is in [17]. 

The related notion of negotiated privacy is introduced in [12]. A negotiated 
privacy scheme differs from the problem of encrypted search as studied here and 
in [15,3,9] in that the goal is to provide data collectors with the guaranteed 
ability to conduct specific searches. 

Finally, we note that there are existing techniques for searching over en- 
crypted data with increased security but with far less efficiency than our schemes 
and those described above. For example, private information retrieval (PIR) 
schemes (see, for example [6,7,5]) can potentially be used to solve this problem. 
A PIR scheme allows a user to retrieve information from a database server pri- 
vately, that is without the server learning what information was retrieved. Hence, 
with a PIR scheme a user can search the documents stored on the database, and 
thus recover the documents of interest on their own. However, PIR schemes are 
designed in order to achieve higher security than we require (in a computational 
sense, the server in a PIR scheme has no information about what documents 
are retrieved) and thus come with far higher communication cost. Similarly, the 
notion of an oblivious RAM [11] can be leveraged to achieve heightened security, 
but with a significant efficiency cost. By accepting a weaker security guaran- 
tee that seems quite reasonable for our applications we are able to achieve a 
moderate communication cost. 

2 Model 

We consider a user that stores encrypted documents on an untrusted server. Let 
n be the total number of documents. We assume there are m keyword fields 
associated with each document. If documents were emails for example, we might 
define the following 4 keyword fields: “From”, “To”, “Date” and “Subject”. For 
simplicity, we make the following assumptions: 

— We assume that the same keyword never appears in two different keyword 
fields. The easiest way to satisfy this requirement is to prepend keywords 




Secure Conjunctive Keyword Search over Encrypted Data 



35 



with the name of the field they belong to. Thus for example, the keyword 
“FroimBob” belongs to the “From” field and can not be confused with the 
keyword “To:Bob” that belongs to the “To” field. 

— We assume that every keyword held is defined for every document. This 
requirement is easily satisfied. In our email example, we may assign the key- 
word “Subject:NULL” in the “Subject” Held to emails that have no subject. 

From here onwards, we identify documents with the vector of in keywords 
that characterize them. For i = 1, . . . , n, we denote the fth document by £),; = 
(Wjp, . . . , Wj ;TO ), where H'jj is the keyword of document I), in the jth keyword 
Held. The body of the itli document can be encrypted with a standard symmetric 
key cipher and stored on the server next to the vector of keywords Dj . For ease 
of presentation we ignore the body of the document and concern ourselves only 
with the encryption of the keyword vector, Di. 

When discussing a capability that enables the server to verify that a docu- 
ment contains a specific keyword in field j, we denote the keyword by Wj. A 
scheme for conjunctive keyword search consists of five algorithms, the first four 
of which are randomized: 

— A parameter generation algorithm Param(l fc ) that takes as input a security 
parameter k and outputs public system parameters p. 

— A key generation algorithm KeyGen(p) that outputs a set I\ of secret keys 
for the user. 

— An encryption algorithm Enc(p, K, Di) that takes as input p,K and a doc- 
ument Di = (Wip,... , Mfi.-m) and outputs an encryption of the vector of 
keywords. 

— An algorithm to generate capabilities GenCap(p, K, ji, . . . . je, W n , . . . ,Wj t ) 
that takes as input p , K as well as 1 < i < to keyword field indices j\ , . . . , je 
and t keyword values Wj , , . . . , Wj t and outputs a value Cap, the capability 
to search for keywords Wj 1 , . . . , Wj, . We call the portion of the capability 
that consists of the fields being searched over, {j\, . . . ,je}, the support of 
the capability and denote it Sup(Cap). 

— A verification algorithm: Ver(p, Cap. Enc(p, K, D,)) that takes as input p, a 

capability Cap = GenCap(p, K, jfi, . . . , je, Wj 1 , . . . ,Wj e ) and an encrypted 
document Enc(p, K, D.f) where Dj = (Wjp , . . . , Wi jm ) and returns true if the 
expression = Wjf) A = Wj 2 ) A ... A (Wjj, = Wj,)) holds and 

false otherwise. 

Finally, throughout this paper we use the term negligible function to refer to 
a function 77 : N — > R. such that for any c £ N, there exists n c £ N, such that 
rj(n) <l/n c for all n > n c . 



2.1 Security Definitions 

A capability Cap enables the server to divide documents into two groups: those 
that satisfy the capability, and those that do not. Intuitively, a conjunctive key- 
word search scheme is secure if the server learns no other information from a 
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set of encrypted documents and capabilities. In this section, we formalize this 
notion of security. To facilitate the security definitions we define a randomized 
document Rand (Id, Xj, for any set of indices T C {1,... , ?n} and document 
D = ( W \ , . . . , W rn ). Rand(D, T) is formed from D by replacing the keywords of 
D that are indexed by T (i.e. , the set {Wi\i G T}) by random values. Now we 
define distinguishing capabilities: 

Definition 1. A capability Cap is distinguishing for documents Di and Dj if 

Ver (p, Cap, Enc(p, K. Dj)) ± Ver (p, Cap, Enc(p, K. Dj)) 

Given a set of indices, T C {1,. . . ,m}, a capability Cap distinguishes a docu- 
ment D from Rand(-D,T) if 

Ver(p, Cap. Enc(p, K, D)) = true and TfiSup(Cap)^0 

Note that with high probability the capabilities defined in part 2 of Def- 
inition 1 are distinguishing for D and Rand (_D,T) as defined in part 1 of the 
definition. We provide the second part of the definition largely to introduce some 
convenient terminology. 

We define security for a conjunctive keyword search scheme in terms of 
a game between a polynomially bounded adversary A (the server) and a 
challenger (the user). The goal of A is to distinguish between the encryptions 
of two documents, D 0 and D\ chosen by A. Observe that A succeeds trivially 
if it is given a distinguishing capability for D 0 and D\. We say that the 
scheme is secure if A cannot distinguish Dq and D\ with non-negligible ad- 
vantage without the help of a distinguishing capability for Do and D\. Formally: 

Security Game ICC (indistinguishability of ciphertext from cipher- 
text) 

1. The adversary, A, adaptively requests the encryption, Enc(p, K, D), of doc- 
uments, D, and search capabilities, Cap. 

2. A picks two documents, D 0 ,Di such that none of the capabilities Cap given 
in step 1 is distinguishing for D 0 and D\. The challenger then chooses b 
randomly from {0, 1} and gives A an encryption of D),. 

3. A may again ask for encrypted documents and capabilities, with the restric- 
tion that A may not ask for a capability that is distinguishing for Dq and 
D\. The total number of all ciphertext and capability requests is polynomial 
in k. 

4. A outputs by\ £ {0, 1} and is successful if b a = b. We define the adversary’s 
advantage as: Adv^{l k ) = |Pr[6q = b] — 1/2|, and the adversary is said to 
have an e-advantage if Advj\{ l fc ) > e. 



Definition 2. We say a conjunctive search scheme is secure according to the 
game ICC if for any polynomial time adversary A, Adv y i(l fe ) is a negligible 
function of the security parameter k. 




Secure Conjunctive Keyword Search over Encrypted Data 



37 



We next define two variants of this security game that will simplify our 
proofs. In the first variant, the adversary chooses only one document Dq as 
well as a subset T of the keywords of Dq. The challenger creates a document 
D i = Rand (D q, T). The goal of A is to distinguish between an encryption of 
D 0 and an encryption of D\. As before, to make the game non-trivial, we need 
to place restrictions on the capabilities that A is allowed to ask for. Specifically, 
A may not ask for a capability that is distinguishing for Do and D\. 

Security Game ICR (indistinguishability of ciphertexts from random) 

1. A may request the encryption Enc(p, K, D) of any documents D , and any 
search capabilities Cap. 

2. A chooses a document Zd 0 and a subset T C {1, . . . , m} such that none of the 
capabilities Cap given in step 1 distinguishes D 0 from Di = Rand(Zd 0 ,T). 
The challenger then chooses a random bit b and gives Enc(p, K 1 Df) to A. 

3. A again asks for encrypted documents and capabilities, with the restriction 
that A may not ask for a capability that distinguishes D 0 from D\. The 
total number of ciphertext and capability requests is polynomial in k. 

4. A outputs by\ £ {0, 1} and is successful if feq = b. As in game ICC, we define 
the adversary’s advantage as Adv^(l k ) = |Pr[&q = b] — 1/2|. 

Proposition 1. If there is an adversary A that wins Game ICC with advantage 
e, then there exists an adversary A! that wins Game ICR with advantage e/2. 

Proof. The proof of this proposition is standard and is left to the extended 
version of this paper. 

Our final security game is quite similar to ICR except that we now 
consider an adversary who is able to distinguish between Rand(Zd, T) and 
Rand ( Id , T — {£}), for some document D and set of indices T, t £ T. Again, this 
game enables simpler security proofs. 

Security Game ICLR (indistinguishability of ciphertexts from limited 
random) 

1. A may request the encryption Enc(p, K, D) of any documents D and any 
search capabilities Cap. 

2. A chooses a document Id, a subset T C (1,... , m} and a value t £ T 
such that none of the capabilities Cap given in step 1 are distinguishing for 
Rand(.D, T) and Rand(D, T— {!}) . The challenger then chooses a random bit 
b. If b = 0, the adversary is given Enc(p, A/ Do), where D 0 = Rand (Id, T — 
{t}). If b = 1, the adversary is given Enc(p, K, D i), where Zdi = Rand (Id, T). 

3. A again asks for encrypted documents and capabilities, with the restriction 
that A may not ask for a capability that is distinguishing for Dq and D\. 
The total number of ciphertext and capability requests is polynomial in k. 

4. A outputs by\ £ {0, 1} and is successful if feq = b. As in game ICC, we define 
the adversary’s advantage as Adv^(l k ) = |Pr[foq = b] — 1/2|. 
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Proposition 2. If there is an adversary A that wins Game ICR with advantage 
e, then there exists an adversary A' that wins Game ICLR with advantage e/m 2 . 

Proof. The proof of this proposition is standard and is left to the extended 
version of this paper. 

2.2 Hardness Assumptions 

The proofs of security of our conjunctive search schemes are based on two well- 
known hardness assumptions, Decisional Diffie-Hellman (DDH) and Bilinear De- 
cisional Diffie-Hellman (BDDH). We briefly describe each of them here, referring 
the reader to [1] for additional information on DDH and to [2,13] for additional 
information on BDDH. 

Decisional Diffie-Hellman. Let G be a group of prime order q and g a 
generator of G. The DDH problem is to distinguish between triplets of the form 
{g a ,g b ,9 ab ) and (ff a j£/ b >5 c )> where a, b, c are random elements of {1,... ,q — 
1}. We say a polynomial time adversary A has advantage e in solving DDH if 
| Pr[A(g a , g b , g ab ) = true] - Pr[A(g a , g\ g c ) = true]| > e. 

Bilinear Decisional Diffie-Hellman 1 Let G\ and G 2 be groups of prime 
order q , with an admissible bilinear map (see [2]) e : G\ x G\ — > G 2 , and let 
g be a generator of G\. The BDDH problem is to distinguish 4-tuples of the 
form (g a , g b , g c , g abc ) and (g a ,g b ,g c ,g d ), where a,b,c,d are random elements of 
{1, ... , q— 1}. We say a polynomial time adversary A has advantage e in solving 
BDDH if | Pr[A(g a ,g b ,g c ,g abc ) = true] - Pr[A{g a , g b , g c , g d ) = true]| > e. 

3 A Conjunctive Search Scheme with Constant Online 
Communication Cost 

In the following protocol, the size of the capabilities for conjunctive queries is 
linear in the total number of documents stored on the server, but the majority 
of the communication cost between the user and the server can be done offline. 
More precisely, each capability consists of 2 parts: 

— A “proto-capability” part, that consists of an amount of data that is 
linear in n, the total number of encrypted documents stored on the server. 
This data is independent of the conjunctive query that the capability allows, 
and may therefore be transmitted offline, possibly long before the user even 
knows the actual query that the proto-capability will be used for. 

— A “query” part: a constant amount of data that depends on the conjunc- 
tive query that the capability allows. This data must be sent online at the 
time the query is made. Note that we call this amount of data constant be- 
cause it does not depend on the number of documents stored on the server, 
but only on the number, m, of keyword fields per documents. 

1 BDDH has appeared in two forms, one in which the last element of the challenge 
4-tuple is in the range of bilinear map and a stronger version that we present here 
and which is used in [16]. 
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The following scenario illustrates how this search protocol might work in 
practice. An untrusted server with high storage capacity and reliable network 
connectivity stores encrypted documents on behalf of a user. Whenever the user 
has access to a machine with a high bandwidth connection (say a home PC), they 
precompute a lot of proto-capabilities and send them to the server. The server 
stores these proto-capabilities alongside the encrypted documents until they are 
used (proto-capabilities are discarded after being used once) . If the user has only 
access to a low-bandwidth connection (a hand-held device for example) at the 
time they want to query their document repository, the user only need send the 
constant-size query part of the capability. The server combines that second part 
with one proto-capability received earlier to reconstitute a full capability that 
allows it to reply to the user’s query. In this manner the high cost portion of the 
communication complexity can be pre-transmitted by the higher performance 
desktop and only a small burden is placed on the hand-held device. 

Note that this scenario assumes the user does not store their documents 
directly on their own machine but on an untrusted server. We justify this 
assumption with the observation that the untrusted server likely offers more 
reliable and more available network connectivity than a machine belonging to 
the user. 

System parameters and key generation. The function Param(l fe ) returns 
parameters p = (G,g, /(■, •), where G is a group of order q in which DDH 
is hard, g is a generator of G, f : {0, l} fc x {0, 1}* — > Z* is a keyed function and 
h is a hash function. We use h as a random oracle. The security parameter k is 
used implicitly in the choice of the group G and the functions / and h. The key 
generation algorithm KeyGen returns a secret key K £ {0, l} fc for the function 
/, and we denote by The family {//c(-)}if is a pseudorandom 

function family. 

Encryption algorithm. We show how to compute Enc(p, K, Di) where I), = 
. . . , Wj ;TO ). Let Vij = fx{Wi,j) for j = 1, . . . , in. Let be a value chosen 
uniformly at random from Z*. The output is: 

Enc(p, K, Di) = ( 5 “* , g a ^ , , . . . , g a 

Generating a capability Cap = GenCap(p, K,j\, . . . ,j t , W 7l , . . . , W :h ) . 

The capability Cap consists of a vector Q of size linear in the number of docu- 
ments (the proto-capability that can be sent offline), and of an additional value 
of constant size (the query part). Let s be chosen uniformly at random from Z*. 
The vector Q is defined as: 

Q= (% 0lS ),M<? 025 ),--- ,%“”*)) 

In addition, we define the value C = s + (i7^ =1 //f {Wj w )). The capability is the 
(t + 2)-tuple, Cap = {Q,C,j i,... ,j t }- 



Verification. The server computes Ri = g aiC -g ,j w )) an d returns true 

if h(Ri) = h(g aiS ) and false otherwise. 
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3.1 Security Analysis 

Proposition 3. The scheme of Section 3 is secure according to game ICC in 
the random oracle model if DDH is hard in G. 

Proof. By Propositions 1 and 2, we know that the existence of an adversary 
that wins game ICC with non-negligible probability implies the existence of an 
adversary that wins game ICLR with non-negligible probability. Let A be an 
adversary that wins game ICLR with advantage e. We build an adversary A! 
that uses A as a subroutine and breaks DDH with non-negligible advantage. 

The algorithm A! first calls the function Pa ram to generate the parameters 
p = (G,g,f,h). Let g a ,g b ,g c be a Diffie-Hellman challenge (the challenge is to 
determine whether c = ah). A! guesses a value 2 for the position t that A will 
choose in step 2 of the game ICLR, by picking z uniformly independently at 
random in {1, . . . , m}. 

The algorithm A! simulates the function Enc as follows. A! associates with 
every keyword W t a random value Xj. When asked to compute Enc(p, k, D ) where 
D = ( W \ , . . . , W rn ), A! chooses a random value a* and outputs: 

Enc (p,k,D) = (g a %g a ^,...,(g b ) a ^,...,g a ^) 

When asked to compute Cap = GenCap(p, K, j\, . . . ,jt,Wj 1 ,... ,Wj t ), A' out- 
puts a vector Q = (TR . . . ,T n ) of random values and a random value for C. 
To evaluate Ver (p, Cap, Enc(p, K , Df)), A must compute Ri and then ask A! for 
the value h(Ri). A! knows whether D,; satisfies Cap or not. If it does, A! defines 
h(Ri) = Tj. Otherwise A! returns a random value for h(Ri). 

Finally, A submits a challenge document D = (Wi, . . . , W m ) for encryption 
along with a set T C {1, . . . , m} and a value t G T. If z t, A! returns a random 
guess in reply to the DDH challenge. With probability 1 /to, we have z — t and in 
that case A' proceeds as follows. Let E t = ( g c ) Xt . For j GT, j ^ t, let Ej = Rj 
for a random value Rj. For j T, let Ej = (g a ) Xi ■ A! returns to A the following 
ciphertext: 

(s a > Ei , . . . , E m ) 

Observe that this ciphertext is an encryption of D in every position j T . If 
c = ab, this ciphertext is also an encryption of D in position t\ otherwise it is 
not. 

Now A is again allowed to ask for encryption of documents and for capa- 
bilities, with the restriction that A may not ask for capabilities that are distin- 
guishing for Rand(D,T— {f}) and Rand(D,T). This restriction ensures that A! 
can reply to all the queries of A as before. 

Finally A outputs a bit If = 0, A! guesses that g a ,g b , g c is not a DDH 
triplet. If & a = 1, A' guesses that g a ,g b , g c is a DDH triplet. Since the encryption 
will be random at position i if and only if the challenge is not a DDH tuple A! 
solves the DDH challenge with the same advantage that A has in winning game 
ICLR. □ 
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4 A Conjunctive Search Scheme with Constant 
Communication Cost 



In this section, we describe a protocol for which the total communication cost of 
sending a capability to the server is constant in the number of documents (but 
linear in the number of keyword fields). With this protocol, a low-bandwidtlr 
hand-held device will be able to construct capabilities on its own and the overall 
communication overhead will be low. 



System parameters and key generation. The function Param(l fc ) returns 
parameters p = (Gi, G 2 , e, g, /(•, •)), where G\ and G 2 are two groups of order 
q, g is a generator of Gi, e : G\ x G\ — > Gi is an admissible bilinear map and 
a keyed function / : {0, l} fe x {0,1}* —1 Z*. The security parameter k is used 
implicitly in the choice of the groups G\ and G 2 . The key generation algorithm 
KeyGen returns a secret value a and K. Again, we denote f(K , •) by f K (•)> and 
{/k forms a pseudorandom function family. 



Encryption algorithm. We show how to compute Enc(p, K, Di) where D, = 
(W iA , ... , W ijm ). Let V itJ = f K (Wij) for j = 1, . . . , to. Let R itj for j = 1, . . . , to 
be to values drawn uniformly independently at random from Z* . Let a; be a value 
chosen uniformly at random from Z*. The function Enc returns: 



„Oi / n a.i(Vi,i + Ri,i) n ai(Vi,m+Ri.m.) \ I r ,aiaRi,l 

y j i y >•••>» h \ y > 



,9 



,ai<y.Ri , 



Generating a capability Cap = GenCap(p, K,ji, . . . ,j t , Wj 1 , . . . , IL} ( ) . 

Let r be a value chosen uniformly at random from Z*. The capability Cap is: 

Cap = (r,r (EU/K(WjJ ),5 r d ll - ,A) 

Verification. We show how to compute Ver(p, Cap. Enc(p, K , D j)) where Cap = 
(g°‘ r ,g ar ^™= lfK(Wiw)) ,g r ,ji,--- ,jt) and Di = (W iA ,... ,Wi, m ). The algo- 
rithm checks whether the following equality holds: 



Hg° 



."(eu f K ( w jw ))^ g a ^ = Y ^( i ( g ar ' 9 ai( ' Vi ' ik+Ri ' ik) ) 



k = 1 



e(g r ,g aiaRi 



and returns true if the equality holds, and false otherwise. 



4.1 Security Analysis without Capabilities 

We first demonstrate a partial security result; namely, that when no capabilities 
are generated ciphertexts are indistinguishable provided BDDH is hard. To that 
end, we define a game ICC which is identical to security game ICC of Section 2 
except that no capabilities are generated (i.e. steps 1 and 3 are modified). Hence, 
the adversary who engages in Security Game ICC' , renders an adaptive, chosen- 
plaintext attack. 
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Proposition 4. If the Bilinear Decisional Diffie-Hellman (BDDH) problem is 
hard in G\, then no adversary can win game ICC' with non-negligible advantage. 

Proof. Let A be an adversary who wins Security Game ICC' with advantage e. 
We build an adversary A' which uses A as a subroutine and solves the BDDH 
problem. Let g a ,g A ,g a ,g d be a BDDH challenge (the challenge is to decide 
whether d = otAa) . 

When A asks for a document to be encrypted, A' does the following. For each 
keyword W t it chooses a random value Xi. A' keeps track of the correspondence 
between keywords Wi and values Xi so that if a keyword appears multiple times 
(possibly in different documents), the same Xi is used consistently for that key- 
word. A' then chooses a random value at and random values 1,... ,Ri, m - 
Finally, A! outputs 

g a i ^gO,i(Axi+Ri,i) gai(Ax m +Ri, m ^ga,i<xRi'i gaiaRi tm ' S j 

Note that A! can compute all of these values since it knows ai,Xj and the Rij. 
Note also that the above is a valid encryption of the document requested by A. 
Now for its challenge, A asks for one more document D to be encrypted. The 
problem is for A to determine whether the encryption it receives from A! is an 
encryption of I? or of a random document . A! chooses random values bi , . . . , b m 
and outputs 



g a , (g bl ,-.. ,g bm ^,(g abl - dX1 ,... , g ab ™~ dx ^ 

Note that A! can compute the value above and that if d = aAa , the encryption 
above is an encryption of D. Otherwise it is an encryption of a random docu- 
ment. A outputs a guess as to whether it’s been given an encryption of D or an 
encryption of a random document , and A! outputs the same guess as to whether 
d = aAa or not. Hence, just as in Proposition 3, if A/s advantage in Security 
Game ICC' is e, then the advantage of A! in solving BDDH is e. □ 



4.2 Security Analysis with Capabilities 

We present here a complete security analysis of the protocol of Section 4, 
including capabilities. Unfortunately, in a security model that includes capabil- 
ities (Game ICC), we do not know how to reduce the security of the protocol 
to a standard security assumption. Indeed, the breadth of applications for 
bilinear maps often necessitates new, nonstandard, hardness assumptions (see, 
for example [8]). We rely on the following new assumption: 

Hardness Assumption (Game HA): 

We define the following game. Let Q be a group of order q , and let g € Q 
be a generator of Q. We assume the existence of an admissible bilinear map 
e : G x Q -A t/ 2 - The game proceeds as follows: 
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1. We choose two random values a,a £ Z* and give A, the adversary g a and 
9 a - 

2. A can request as many times as it wants and in any order the following: 

— A variable. Whenever A requests a new variable, we pick a random 
value Xi € Z* and give the adversary g Xi . 

— A product. A specifies a subset S = {i\,... ,ik} of variables. We 
pick a random value r £ Z* and return to the adversary g r , g ar and 

gar (a^ + .-.+XiJ. 

3. A chooses two subsets T and T' of indices such that T Cl V = 0. 

4. We give A the value g aaXi for all i £ T' . Next, we flip a bit b. If b = 0, 
we give the adversary the value g aaXi for all i £ T . If b = 1, we give the 
adversary g ri for a randomly chosen value r, £ Z* for all i £ T. 

5. A outputs a bit 6_q. 

We say that A wins game HA if the following two conditions hold: 

— The adversary’s guess is correct, i.e. = b. 

— Let S i, . . . , S n be the list of sets requested by A in step 2 of the game HA. 
For any * = !,... , n, if Si C (T U T') then Si (IT = 0. 



Proposition 5. If game HA is hard for Qi, then no adversary can win the game 
ICC with non-negligible advantage. 

Proof. By Proposition 1, we know that the existence of an adversary who wins 
game ICC with non-negligible advantage implies the existence of an adversary 
who wins game ICR with non-negligible advantage. Let A be an adversary who 
wins game ICR with non-negligible advantage. We show how to construct an 
algorithm A' that uses A as a subroutine and wins game HA with non-negligible 
probability. The algorithm A! begins by asking for two values g a and g a (step 1 
of game HA). 

Next, we show how A! simulates the encryption function Enc for A. When A 
wants a document encrypted, A' asks for a variable g Xi for every new keyword 
IT, . The algorithm A! keeps track of the correspondence between keywords and 
values in Q such that it can reuse values consistently if a keywords appears several 
times. To compute Enc(p, K, D) where D = (Wi,... ,W m ), the algorithm A! 
chooses a random value a, and m random values R±, . . . , R m and gives to A: 

g a \{[g Xl ) ai g R \... ,{g Xm ) ai g R ^,{{g a ) aiR \... ,{g a ) aiR ^ 

We show now how A' simulates capabilities for A. Suppose that A asks 
for the following capability: Cap = GenCap(p, K,ji, ■ ■ ■ , jt , IT,-, , . . . , W n ) . The 
algorithm A' asks for the values g r , g ar and g ar ( x ji+—+ x n) and outputs: 

Cap = ( 5 r ,ff“ r ,fl Qr( ^ 1 + - + ^)) 

It is easy to verify that Cap = GenCap(p, K,j\, . . . ,j t , Wj 1 , . . . , Wj t ). 
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At some point, A chooses a challenge document D = ( IT j . . . . , W m ) and 
a subset T C {1,... ,m} (step 2 of game ICR). Without loss of generality, 
we assume that every keyword Wj has already appeared, i.e. A' already has a 
corresponding value g Xi . If not, A! simply asks for the missing values g Xi . The 
adversary A' defines T' = {1, , m} \ T. 

Now A' chooses m new random values yi, ■ ■ ■ ,y m and computes 
g ayi , . . . ,g aVm . Next, A! submits the sets T and T' as in step 3 of game HA. 
In return, A! gets values g Sl , . . . ,g Sm , where Sj = aaxj for every j £ T' and 
for j £ T, either Sj = aaXj or Sj is random (recall that the goal of A' is to 
distinguish between these two cases). Finally, A' gives to A the following value 
as the encryption of the challenge document D chosen by A: 

g a , (V 1 , • • ■ , (V" 1 // 1 ), • ■ • , (s“ ym /<? 5m )) 

It is easy to verify that this is a correct encryption of the challenge document D 
in every position j (jj T, and in every position j £ T, it is either an encryption 
of Wj or an encryption of random. In such positions, it is up to the adversary 
A to guess which. 

In step 3 of game ICR, A is again allowed to ask for encryption of documents 
and capabilities. We simulate these exactly as above. 

In step 4 of game ICR, A outputs a bit b _q. The adversary A' then outputs the 
same bit b = 64 . Clearly, if A wins game ICR with non-negligible advantage, 
then A' guesses the bit correctly in game HA with the same non-negligible 
advantage. What remains to be shown is that the second condition for winning 
the game holds. That holds since whenever Ver(p, Cap. Enc(p, K, D)) = true we 
must have that the set T was not queried on and therefore for any S that A' 
requests to construct a capability S fl T = 0. □ 

5 Conclusion and Open Problems 

We have presented two protocols for conjunctive search for which it is provably 
hard for the server to distinguish between the encrypted keywords of documents 
of its own choosing. Our protocols allow secure conjunctive search with small 
capabilities. Our work only partially solves the problem of secure Boolean search 
on encrypted data. In particular, a complete solution requires the ability to do 
disjunctive keyword search securely, both across and within keyword fields. 

An important issue that isn’t addressed by our security games is the infor- 
mation leaked by the capabilities. In both of our protocols, the server learns the 
keyword fields that the capability enables the server to search. This alone may 
be enough to allow the server to infer unintended information about the docu- 
ments. It would be interesting to explore solutions for the secure search problem 
that also protect keyword fields. 
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Abstract. In the literature, voting protocols are considered secure if 
they satisfy requirements such as privacy, accuracy, robustness, etc. It 
can be time consuming to evaluate a voting protocol with respect to all 
these requirements and it is not clear that the list of known requirements 
is complete. Perhaps because of this many papers on electronic voting 
do not offer any security proof at all. 

As a solution to this, we suggest evaluating voting schemes in the univer- 
sal composability framework. We investigate the popular class of voting 
schemes based on homomorphic threshold encryption. It turns out that 
schemes in this class realize an ideal voting functionality that takes the 
votes as input and outputs the result. This ideal functionality corre- 
sponds closely to the well-known ballot box model used today in manual 
voting. Security properties such as privacy, accuracy and robustness now 
follow as easy corollaries. We note that some security requirements, for 
instance incoercibility, are not addressed by our solution. 

Security holds in the random oracle model against a non-adaptive adver- 
sary. We show with a concrete example that the schemes are not secure 
against adaptive adversaries. We proceed to sketch how to make them se- 
cure against adaptive adversaries in the erasure model with virtually no 
loss of efficiency. We also briefly hint at how to achieve security against 
adaptive adversaries in the erasure-free model. 

Keywords: Voting, homomorphic threshold encryption, universal com- 
posability. 



1 Introduction 

We consider the security of voting protocols. As time has progressed, more and 
more security requirements have been published in the literature. Examples of 
such requirements are privacy, accuracy, fairness, robustness, universal verifia- 
bility, incoercibility and receipt-freeness [1,2]. With this growing list of require- 
ments, designers of voting protocols face two problems: if they do not know the 
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literature well they may miss a security requirement, and even if they do cover 
all known requirements this does not guarantee that new yet to be discovered 
requirements are satisfied by their voting scheme. 

To partially solve these problems we suggest evaluating voting schemes in the 
universal composability (UC) framework of Canetti [3]. In the UC framework, 
an execution of a multi-party computation protocol is compared to an execution 
where a trusted ideal functionality handles the data and produces the output. 
A protocol is said to be secure if an adversary operating in a real-life model can 
be simulated in the ideal process model with the ideal functionality. In the case 
of voting, the ideal functionality takes as input the votes and outputs the result 
of the election. This ideal functionality corresponds to the old method of voters 
marking their choice on paper and putting the ballot in a box, which is opened 
once the election is over. 

Let us see how this solution addresses some of the properties that we men- 
tioned. Privacy and accuracy are automatically satisfied since it is a part of the 
model that input to the ideal functionality is not revealed in any way to the 
adversary and the ideal functionality does compute the result correctly. Robust- 
ness follows too; in the UC framework, we can corrupt parties and still have a 
good simulation in the ideal process. Fairness follows from the fact that the ideal 
functionality does not reveal any partial tallies during the process. 

Our approach has the advantage that it covers many security requirements 
in a single security model. This simplifies security proofs since we only need to 
prove universal composability to prove all these specific security requirements. 
Our approach is also pro-active in the sense that using a general security model 
may mean that security requirements yet to be discovered are covered. 

We do not claim to solve all security issues with this approach. In particular, 
universal composability of a voting scheme does not guarantee universal veri- 
fiability, incoercibility, receipt-freeness or protection against hackers. However, 
considering that many security issues are dealt with, and considering that the 
properties dealt with are often defined vaguely in papers dealing with voting 
schemes, we do find that this application of the UC framework is worthwhile to 
investigate. 

The UC framework allows for modular composition. In short, this means 
that if we take a hybrid protocol, where part of the protocol is specified by 
an ideal functionality, then we can freely plug in any protocol that securely 
realizes this ideal functionality. Most voting schemes presented in the literature 
make shortcuts. They assume we have a broadcast channel with memory or an 
anonymous broadcast channel. Often they also assume some public keys are set 
up and assume that voters are registered without specifying how this is done. We 
take this approach too and assume these things are provided through an ideal 
functionality. The modular composition theorem of the UC framework tells us 
that this is a sound approach and that we may later insert any protocol that 
realizes this functionality to get a full-blown election protocol. 

The specific class of voting protocols we look at in this paper is based on 
homomorphic threshold encryption. Many such schemes have been proposed in 
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the literature [4, 5, 6, 7], only the first one of these offers a security proof. We 
prove that indeed these schemes realize an ideal voting functionality when the 
adversary is non-adaptive. The schemes are not secure against adaptive adver- 
saries, however, we propose a simple modification to make them secure against 
adaptive adversaries in the erasure model. Furthermore, in the full paper [8] 
we suggest another modification based on Paillier encryption that gives security 
against adaptive adversaries in the erasure-free model. 



2 Preliminaries 

In this section, we present the various tools used in the class of voting schemes 
we intend to investigate. Before doing so, we offer a brief introduction to the 
idea behind this class of voting protocols. 

The idea behind voting based on homomorphic encryption. We assume that the 
parties have access to a message board where everybody may post messages, ev- 
erybody can read the messages posted on the message board, messages cannot 
be deleted, and all messages are authenticated, for instance with digital signa- 
tures. All communication will take place through this message board. Public data 
pertaining to the election is also posted on the message board. In particular, a 
public key pk for a cryptosystem is posted. 

In this example, we assume for simplicity that the voters only have two 
choices. We encode “yes” as 1, while “no” is encoded as 0. A voter casts his vote 
by encrypting the vote and posting it on the message board, i.e., posting E p h( 0) 
or E p k{ 1). Since the messages are authenticated, everybody can check whether 
an eligible voter cast the vote. 

The cryptosystem should have a homomorphic property: 



Epk{m\ \ ri) • E pk (m 2 -, r 2 ) = E pk (mi + ?n 2 ; n + r 2 ). 



When everybody has cast his vote we may therefore compute the product of all 
the ciphertexts and get an encryption of the number of “yes” votes. 

Now the authorities must decrypt this ciphertext containing the result of 
the election. For this purpose, we assume that the cryptosystem has threshold 
decryption. The authorities each hold a secret share of the private key and if 
sufficiently many of them cooperate, they may decrypt the ciphertext. However, 
no coalition below the threshold value is able to decrypt any of the encrypted 
votes; this preserves privacy. 

To prevent cheating we require that voters attach a non-interactive zero- 
knowledge proof that their ciphertext contains either 0 or 1. Otherwise, it would 
for instance be easy to cast 100 “yes”-votes by posting £^(100). Standard non- 
interactive zero-knowledge proofs are too cumbersome to be used in practice, 
therefore this is typically done through a 3-move honest verifier zero-knowledge 
proof of correctness of a vote made non-interactive through the Fiat-Slramir 
heuristic. 
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In this section, we define ^-protocols [9], the type of 3-move honest verifier 
zero-knowledge proofs that we use. We then note that these proofs in the ran- 
dom oracle model [10] can be transformed into non-interactive zero-knowledge 
proofs. We prove that in the random oracle model, we are dealing with a proof 
of knowledge, and for any prover there exists an emulator that also produces 
corresponding witnesses. This can be seen as a random oracle parallel of witness 
extended emulation as defined by Lindell [11]. Finally, we define the kind of 
homomorphic threshold encryption that we need. 

£ -protocols. A A-protocol is a special type of 3-move proof system. Say we have 
an element x and a language L. The prover P knows a witness w for x £ L 
and wants to convince the verifier V that x £ L. We assume that both parties 
have access to a common reference string a chosen with a suitable distribution. 
Some A-protocols do not require this, and in that case, we can of course just let 
a be the empty string. The protocol goes like this: The prover sends an initial 
message a, receives a random challenge e and produces an answer z. V can now 
evaluate (a, x, a, e, z) and decide whether to accept or reject the proof. 

A A-protocol satisfies the following properties. 

Completeness: Given (x, w) where w is a witness for x £ L the prover will 
with overwhelming probability convince the verifier, if they both follow the 
protocol. 

Special Soundness: There exists an efficient extractor that for any x given 
two acceptable proofs (a,e,z) and (a,e',z') with the same initial message 
but different challenges can compute a witness w for x £ L. 

Special Honest Verifier Zero-Knowledge: There exists an efficient simula- 
tor that given x, e can create a “proof” (a, e, z ) for x £ L, which is indistin- 
guishable from a real proof with challenge e. 

Non-interactive zero-knowledge proofs. Given access to a random oracle O we can 
transform a A-protocol into a non-interactive proof system. To get the challenge 
e we form the initial message a, query O with (x, a, aux ) to get the challenge e 
and then compute the answer z. 1 The proof is then (a, z,aux). To verify such 
a proof query O with (x, a, aux) to get e and then run the verifier from the 
17-protocol . 

Using standard techniques, we can prove that we get a non-interactive proof 
system with the following properties: 

Completeness: Given (x, w) where w is a witness for x £ L the verifier will 
accept if both the prover and the verifier follow the protocol. 

Soundness: A dishonest prover cannot convince the verifier if x ^ L. 
Zero-Knowledge: There exist a simulator S° that given x £ L can create a 
convincing proof (a, z, aux ) indistinguishable from a real proof provided it 
has the following ability to modify the oracle. It may give (x, a, aux, e ) to O 

1 Typically, aux will contain the identity of the prover in order to prevent somebody 
else to duplicate the proof and claim to have made it. 
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and provided (x, a, aux) has not been queried before O assigns the value e 
to be the answer to query (x, a, aux). 

The random oracle model is an idealization of the Fiat-Shamir heuristic, see 
[10]. In the Fiat-Shamir heuristic the prover uses a cryptographic hash-function 
to produce the challenge as e = hash(x, a, aux). 

Witness extended emulation in the random oracle model. A 17-protocol is a 
proof of knowledge in the random oracle model. We formulate this in the form 
of witness extended emulation in the following way. Given some adversary that 
produces a vector of elements x £ L and valid proofs of memberships of L, there 
is an emulator Ea that produces identically distributed elements together with 
the corresponding witnesses for memberships of L. 

Theorem 1. For all adversaries A there exists an expected polynomial time 
emulator Ea such that for all distinguishers D (even unbounded ones) we have 

P[(x,p, s) <- A° (z) : (x, p) £ V A D° (x,p, s, z) = 1] 
ft! P[(x,p, w , s) <- E^ (z) : (x,p) £ V A (x, w) £ W A D°(x,p, s, z) = 1], 

where z is some advice with length bounded by a polynomial in k, O is a random 
oracle, V is the set of vector pairs (x,p) such that p contains valid proofs for the 
elements in x belonging to L, and W is the set of pairs (x,w) where w contains 
witnesses for the elements of x belonging to L. 2 

The theorem follows from standard rewinding techniques. A proof can be found 
in the full paper [8]. 

Homomorphic threshold encryption. A (t, ?r)-threslrold cryptosystem is a pub- 
lic key cryptosystem where the secret key is shared between n authorities 
A\, . . . , A n . If t of them cooperate they may decrypt ciphertexts, but any group 
of less than t authorities cannot learn anything about the contents of a cipher- 
text. 

We use a key generation algorithm K to generate the keys. In general, all 
elements of the cryptosystem, messages, randomness and ciphertexts belong to 
suitable groups. We write the ciphertext space with multiplicative notation and 
the other groups with additive notation. The key generation algorithm produces 

2 It is instructive to consider this theorem in connection with the cryptosystem TDHO 
in [12]. TDHO is a cryptosystem where a ^-protocol made non-interactive with a 
random oracle is used to prove knowledge of the plaintext. Intuitively one might 
argue CCA2 security by saying that the adversary already knows the answer when 
submitting decryption requests. However, Gennaro and Shoup show that this argu- 
ment fails since rewinding is used to get the plaintexts, and since decryption requests 
may depend on oracle queries made before several other oracle queries we risk an 
exponential blow-up when tracking back through the decryption requests. Our the- 
orem does not solve this problem. What our theorem can be used to prove, however, 
is that TDHO is non-malleable. 
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a public key pk which is used for encryption, secret keys ski, ■ ■ ■ , sk n used for de- 
cryption, and verification keys vk\, . . . , vk n that are public and used for verifying 
that the authorities act according to the protocol. 

Encryption works as usual. To decrypt a ciphertext the authorities use their 
secret keys to produce decryption shares. Given t decryption shares anybody 
can combine them to get the plaintext. The verification keys are used by the 
authorities to make a zero-knowledge proof that they have provided the correct 
decryption shares. 

We require that the cryptosystem have the following properties. 

Semantic security: The cryptosystem must be semantically secure. 
Errorless decryption: With overwhelming probability, the key generation al- 
gorithm selects keys such that there is probability 1 for the decryption to 
yield the message encrypted. 3 

Homomorphicity: For all messages ni \ , m 2 and randomizers rq , r 2 we have 
E p k{mi + to 2 ; rq + r 2 ) = E pk (mi\ri) ■ E pk (m 2 ; r 2 ). 

Simulatability of decryption: There is an algorithm S that takes as input 
a ciphertext c, a message m and the secret shares of any group of t — 1 
authorities and produces simulated decryption shares for all the remaining 
authorities that c decrypts to in. S must be such that even with knowl- 
edge of the corresponding t — 1 keys the simulated decryption shares are 
indistinguishable from real decryption shares. 

3 Universal Composability 

The universal composability framework is described in details in [3]. The main 
gist is to compare a real-life execution of a protocol with an ideal process. We 
say a real-life protocol n realizes an ideal functionality T if an adversary A in 
the real-life model cannot gain more than an adversary S in the ideal process 
does. More precisely, we have an environment Z that gives inputs to parties, 
sees outputs from parties and learns which parties are corrupted, and we say 7r 
securely realizes T if Z cannot distinguish the real-life protocol with adversary 
A from the ideal process with simulator S. 

In the ideal process, the ideal functionality handles everything taking place 
in the protocol. The parties in the protocol hand their inputs from Z directly 
and securely to T . T computes the parties outputs and sends it to them. When 
a party receives a message from T , it outputs this message. S is restricted to 
corrupting some of the parties and blocking messages from T to the honest 
parties. On the other hand, in the real-life execution the parties carry out the 
protocol 7T to produce their outputs. 

One main feature in this framework is security under modular composition. 
Let us say we have a protocol p that realizes the ideal functionality T . Say that 

3 Most known cryptosystems have this property. However, in the notion of deniable 
encryption [13] the goal is to make it possible to deny that a particular thing was 
encrypted by producing honest looking randomness for an entirely different plaintext. 
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p is used as a sub protocol in 7 r and write this as tt p . We may then form the 
hybrid where calls to p are replaced with calls to T . It is a theorem that 7r p 
securely realizes . 



Key generation and message board hybrid model. We will take advantage of the 
modular composition theorem and work in a hybrid model where we assume we 
have protocols that realize the key generation and message board functionality 
described in Figure 1. For distributed key generation protocols refer to [14,15, 
16,17]. This enables us to concentrate on the voting protocol itself. 



Functionality JF KM 

•Fkm proceeds as follows, running with parties Vi, ... , V m , Ai, . . . , A n and an 
adversary A. 

— Generate keys for the homomorphic threshold cryptosystem 

(pk, vki, . . . , vk n , ski, ■ ■ ■ , sk n ). Send (public key, sid,pk ) to all parties and 
A. Send (verification keys, sid, vki, . . . , vk n ) to all the authorities and A. 
For i = 1, . . . ,n send (secret share, sid, ski) to Ai. 

— Upon receiving (message, sid, m) from party Vi store (message, sid, Vi, m) 
and send it to A. 

— Upon receiving (no-block, sid, Vi, m) from A check whether 
(message, sid, Vi, m ) has been stored. In that case, store (post, sid, Vi,m) 
and ignore subsequent (no-block, sid, V, . . .) messages from A. 

— Upon receiving (tally, sid) from A, send all stored (post, sid, Vi,m) messages 
to Ai, . . . , A n . Ignore subsequent (tally, sid) and (no-block, . . .) requests. 

— Upon receiving (post, sid, m) from party Ai send (post, sid, Ai, m) to 
Ai,. . . ,A n and A. 



Fig. 1. The key generation and message board functionality, 



We note that in F K m we allow A to block voters’ messages. This is to cover all 
the benign and malicious failures that may occur when voters try to cast their 
vote; everything from the Internet connection being unstable to an adversary 
deliberately cutting the cables to groups of voters with a particular political 
opinion. A typical requirement of a voting system is that it should be available, 
i.e., voters wanting to vote should have access to vote. This covers protecting 
against denial of service attacks, etc., but is not part of what the cryptographic 
protocol can accomplish. Therefore, we specifically allow the adversary to block 
votes. We quantify over all adversaries in the security proof, so in particular the 
security proof also holds for non-blocking adversaries that do not block messages, 
i.e., it holds for voting systems with the availability property. In contrast, for 
simplicity we do not allow the adversary to block inputs from the authorities. 
This choice is reasonable since any voting system must have appropriate back-up 
procedures to ensure that all authorities can communicate as needed. 
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Another remark pertains to resubmission of votes. Depending on the require- 
ments, sometimes dictated by law, it may or may not be allowed for voters to 
change their votes. For simplicity, we treat the case where voters cannot change 
their mind, and therefore we only allow a single message not to be blocked. Se- 
curity can be proved quite similarly in the case where we allow voters to change 
their mind. 



Functionality Avoting 

^voting proceeds as follows, running with parties Vi, ... , V rn , Ai , . . . , A n and an 
adversary S. 

— Upon receiving (vote, sid, Vi, v) from Vi store it and send (vote, sid, Vi) to 
S. Ignore future (vote, sid, . . .) messages from Vi. 

— Upon receiving (no-block, sid, Vi) from S check whether some 

(vote, sid, Vi, v) has been stored. In that case, add v to the result and ignore 
subsequent (no-block, sid, Vi) messages from S. 

— Upon receiving (result, sid) from S compute the result and send 
(result, sid, result) to S and Ai, . . . , A n and halt. 



Fig. 2. The voting functionality, ^-voting- 



Voting protocol. Before describing the protocol that we use to realize the ideal 
voting functionality in Figure 2, we need to discuss how to encode the voters’ 
choice as a plaintext to be encrypted. In [5,6,7] this is done by assigning each 
candidate a number j £ {0, — 1} and encoding the candidate as AiP , where 
M is a strict upper bound on the number of votes any candidate can receive. 
Adding many such votes gives a result on the form VjM where Vj is the 

number of votes on candidate number j. Votes and result can be embedded in 
a message space on the form provided N > M L . More generally we require 
that there is an encoding such that: 

— Each valid vote v can be encoded as Encode (v). 

— The sum of the encodings yields an encoding of the result, Encode (result). 

— It is possible to efficiently extract the result from an encoding. 

— The encodings can be embedded in the message space of the cryptosystem. 

We describe the voting protocol based on homomorphic threshold encryption 
in Figure 3. Examples of such voting protocols can be found in [4, 5, 6, 7]. 

Ideal process adversary. To prove security of the voting protocol we need to 
provide an ideal process adversary S that fares as well as A does in the Fkm- 
hybrid model. S is described in Figure 4. 

Theorem 2. The voting protocol hybrid ^voting secure ^y realizes IFvoting f or 
the class of non-adaptive adversaries that corrupt less than t authorities. 
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Voting Protol ^voting 

The voting protocol for voters Vi , . . . , V m and authorities Ai , . . . , A n with access 
to ideal functionality Jkm and random oracle O is as follows. 

1 . Invoke Pkm to give each voter Vi, , V m the public key and give each 
authority Ai , . . . , A n all the verification keys and its own secret key. 

2. Each voter V, with a public key pk on the incoming message tape and a valid 
vote Vi on the input tape computes d <— Epfc(Encode(ui)). He creates a proof 
Pi for the vote being correct using a .E-protocol with O’ s answer on 

(■ d, at, pk, sid, Vi ) as the challenge e». 

He sends (message, sid, d,pi) to T-km- 

3. Authority Aj with the public key and the verification keys on its tape and a 
secret share of the private key on its tape does the following. When receiving 
a bunch of broadcast votes it computes C as the product of all the votes with 
valid proofs. Then it computes the decryption share dsj. It also forms a proof 
Pi for the decryption share being correct using the verification key vkj. The 
challenge in this proof is computed with O. 

It sends (post, sid, dsj,pj) to Pkm- 

4. Each authority picks the first t decryption shares with valid proofs that it 
receives and computes the plaintext of C. 

It interprets the plaintext as Encode (result) and outputs (result, sid, result). 



Fig. 3. The voting protocol ^voting* 



Proof. We will take a walk one step at a time from the PicM-hybrid model to 
the ideal process. In doing so we will use expected polynomial time algorithms 
and rewind the environment. This is all right as long as we do not do this in the 
^KM-hybrid model or the ideal process itself. 

Expi . Define Exp! to be the following modification of the pKM-hybrid model. 
After A has submitted the command (tally, sid) to Pkm we use the honest 
authorities’ secret shares to decrypt the encrypted votes with valid proofs sent 
by A on behalf of corrupt voters. We look at the tapes of the honest voters and 
if they are not blocked by A, we add their votes to the corrupt voters’ votes. 
This gives us the result of the election. 

By the simulation property of the threshold cryptosystem, we may now sim- 
ulate the honest authorities’ decryption shares such that they fit with the result. 
To do this simulation we do not need knowledge of the honest authorities’ secret 
shares. Using our ability to control the random oracle, we may also simulate 
proofs of these decryption shares being correct. 

ss Pi. We define Pi to be the probability of Z outputting 1 in 
Exp-p It is not possible for Z to distinguish whether it is running in the Tymt 
hybrid model or experiment Exp-^ The result is the same in both cases and 
indistinguishability follows from the zero-knowledge property of the proofs and 
the simulation property of the threshold cryptosystem. 
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Ideal process adversary S 

S operates in the ideal process with dummy voters Vi , , V m and dummy 
authorities Ai, . . . ,A n . It has input 2 . It controls the random oracle O in the 
sense that it may assign a response e to a query q. This means that it can 
simulate proofs. 

S runs a simulated d-KM-hybrid execution with simulated adversary A. We write 
Vi, ... , Vm and Ai, . ■ ■ , A n to denote simulated parties. 

— S forwards all messages between A and Z. 

— S simulates the invocation of Tkm- Having done this it knows the secret 
shares of the private key of all the authorities, in other words S may decrypt 
messages encrypted under the public key. 

— Suppose A on behalf of a corrupt Vi sends (message, sid, d,Pi) and sends 
(no-block, sid, Vi,d,Pi) to 3~km- S checks whether the proof is valid and in 
that case it decrypts d to get a vote v l . It submits (vote, sid, V,,v. t ) to 
^voting on behalf of Vi and sends (no-block, sid, Vi) to ^-voting- 

— Upon receiving (vote, sid, Vi) from .^Voting ^ knows that Vi got 
(vote, sid, Vi, Vi) as input from Z. It does not know the actual vote Vi. 

As long as Vi has not received the public key for the election S ignores the 
problem, but if Vi has or gets the public key for the election S must simulate 
Vi trying to cast a vote. It forms d = E p k (0) and simulates a proof pi for d 
containing a valid vote. It simulates Vi sending (message, sid, Vi, d,Pi) to 
JFkm and sends the resulting (message, sid, V, , d, , Pi ) to the copy of A. 

If it later receives (no-block, sid, Vi, m) from A, S simulates T km receiving 
this message, and it sends (no-block, sid, Vi) to ^voting- 

— Upon A sending (tally, sid) to J~km, S lets the simulated T km send the list 
of stored messages (post, sid, Vi, d,Pi) to Ai, . . . ,A n . 

It sends (tally, sid) to ^Voting and learns the result. 

Let C be the product of all the Ci’s. S uses the simulation property of the 
threshold cryptosystem to simulate shares dsj for the honest Aj ’ s such that 
C decrypts to the actual result. Furthermore, it also simulates proofs Pj of 
the shares being correct. 

— After A has delivered both the keys and the messages to honest Aj, S 
simulates that Aj sends the decryption share (post , sid, Aj , dsj ,Pj) to T km- 

— When Aj has received both the public keys and t decryption shares, then S 
delivers the (result, sid, result) message from J-Voting to Aj. 



Fig. 4. The ideal process adversary S. 



Exp2 ■ Define Exp 2 as the following modification of Expj^ . We look at the exe- 
cution in the interval between key generation having been done and A not yet 
having submitted (tally, sid) to J~km ■ After the key generation, we may for 
each honest voter and each possible vote it can get as input pre-generate the 
(message, sid, Ci,Pi) message. 

Let A be an algorithm that takes as input the tapes of A, Z and the pre- 
generated encrypted votes. It runs the entire execution in this interval, and in 
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the end, it outputs the views of A and Z. From the views, we may read off the 
states of A and Z , restart them, and continue the experiment. 

According to Theorem 1 we may replace A with an expected polynomial 
time algorithm Ea that indistinguishably outputs the same as A, but in addition 
provides the witnesses for the proofs made by corrupt voters. These witnesses 
include the votes of these corrupt parties and therefore we do not need to decrypt 
anything with the honest authorities’ secret shares of the private key. 

Pi ss P 2 . We define P 2 as the probability that Z outputs 1 at the end of 
experiment Exp 2 . It follows from Theorem 1 that Pi ~ P 2 . 



Exp 3 . Define Exp 3 the following way. Instead of letting the honest voters encrypt 
their votes and proving in zero-knowledge that the ciphertexts contain correct 
votes, we let them encrypt 0 and simulate the proofs of correctness. For each 
possible vote that Z could give to an honest voter V t , we construct such a 0-vote 
and feed A with these ciphertexts and simulated proofs. 

P 2 ~ P 3 • Let P 3 be the probability that Z outputs 1 after experiment Exp 3 . 
In Exp 3 , we still use the real votes to fit the result in the end, and we do not 
at any point use the honest authorities’ shares of the private key. Therefore, by 
the semantic security of the cryptosystem, the result is the same and Z cannot 
distinguish the two experiments. Neither does it allow us to distinguish the views 
of A and Z that A produces, so these transcripts must still look like correct views 
of A and Z acting according to their programs. 



Exp 4 . We define Exp 4 as a modification of Exp 3 where we go back to using 
decryption to get A’s votes. Instead of using the votes supplied by Ea, we decrypt 
the corrupt voters’ ciphertexts with valid proofs and use these votes. We may 
now replace Ea with A since we do not need the votes directly. By definition, 
A produces valid transcripts of how A and Z behave with these inputs and we 
may therefore replace A with the execution of A and Z. 

P3 « P4. By Theorem 1 we may shift back from Ea to A without being able 
to tell the difference. Since A produces two good transcripts for how A and Z 
work we may now go back to using A and Z also in the interval between key 
generation and A submitting (tally, sid) to Pkm- 

P 4 « IDEALjr VOTING , 2 , 5 . The ideal process and Exp 4 are actually the same 
experiment. In Exp 4 we submit 0-votes on behalf of honest parties and simulate 
the proofs, just as S does. When A submits (vote, sid, V i: Ci,Pi) on behalf of an 
honest voter we check the proof and decrypt just as S does. To create something 
that looks as decryption shares that produce the result we simulate this just as 
S does. □ 
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Recycling keys. One could ask whether the keys can be reused for several elec- 
tions. The security proof fails in this case for the same reasons as described 
in [12] and Footnote 2. The problem is that we can prove non-malleability of 
the cryptosystem used to encrypt votes but not prove security with respect to 
general adaptive chosen ciphertext attacks. If we use the same keys in several 
elections, we give the adversary access to a decryption of the ciphertexts con- 
taining the results and therefore an adaptive chosen ciphertext attack. While we 
see no way to use this attack in practice, we cannot guarantee security. 

If we really want to use the keys for several elections that is possible though. 
We can simply demand that the voter makes a proof of knowledge where votes 
can be straight-line extracted. For instance, the voter can encrypt votes under 
a second public key and prove that this has been done correctly. Then votes 
may be extracted directly from this ciphertext and no rewinding is needed. The 
authorities tally the votes by stripping away the extra proof and ciphertext and 
carrying out the usual tallying procedure with the remaining ciphertext. 

4 Adaptive Adversaries 

An adaptive adversary is one that decides during the execution of the protocol 
which parties to corrupt. After corruption of a party, the adversary may learn 
some data from earlier computations. To guard against such problems we may 
specifically specify in protocols that parties should erase certain data. We call 
this the erasure model. Sometimes the more strict erasure-free security model 
is preferred. In this model, the party’s entire computational history is revealed 
upon corruption. 

The voting schemes are not adaptively secure. The schemes [4, 5, 6 , 7] are in fact 
not secure in the adaptive setting, even when we allow erasures. Let us sketch a 
counter-argument for the case of a yes/no election using the scheme in [4] with 
2 voters, 3 authorities and a threshold t = 2. We refer the reader to [4] for a 
description of the scheme. 

Consider an environment Z and adversary A , where A forwards everything 
it sees to Z and follows instructions from Z on how to behave. Z first asks A 
to activate the key-generation step of Am and to deliver all the keys to the 
relevant parties. Then Z selects at random that all voters should vote yes or all 
voters should vote no. It lets the first voter post its vote and then it flips a coin 
to decide whether to block the second voter or not . If both voters were allowed 
to post their votes, Z carries out the entire election according to the protocol. If 
only the first voter was allowed to post his vote, Z lets A activate A\ to obtain 
its decryption share. Then it flips a coin and corrupts either A 2 or A 3 . From 
the secret share it obtains it may now compute the result of the election. If 
everything works out OK, Z outputs 1. If we are operating in the real-life model 
everything will work out OK and Z will output 1 with 100% probability. 

To finish the argument we will show that any S cannot make Z accept with 
more than 50% probability. First, S must provide public keys g,h = g s for an 
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ElGamal cryptosystem. Second it must provide verification keys h\ = g Sl ,li 2 = 
g S2 ,hz = g S3 to the authorities. Here s, Si,S 2 ,s 3 may or may not be known to 
S and may or may not be chosen according to the protocol. Having given these 
keys to Z S must now produce the vote ( x , y ) for the first voter. At this point 
it cannot know the result since if it queries ^voting for the result, then Z 
has 50% probability of letting the second voter vote, and then the result will 
be wrong and Z will be able to distinguish. From now on, we look at the case 
where (x,y) has been produced without knowledge of the result, and where this 
is the only vote to be cast. S must try to make it look like (x ,y) decrypts to 
the result. First, it must produce a decryption share w 1 for the first authority. 
Then depending on Z ’ s coin-flip, it must give either S 2 or S 3 to Z according to 
which authority Z decides to corrupt. To make Z accept with more than 50% 
probability, S must be able to make it look like (x,y) decrypts to the result in 
both cases. In other words, we have 



^result 



y/wi 1 ’ 11 ’^ x 82 ^ 1 ^ = y/w^’ ll ’ 3} x 33 ^ 1 ^ , 



where the Lagrange coefficients are A 1 / 12 } = 2 ,A 2 i {p 2 } = — l,Ai.n 3 \ = 
3/2, A 3 qi j3 } = —1/2. This implies that we can compute Wi = x 2s2 ~ S3 and 
y = G result 2 ; 3 s 2 - 2 s 3 _ u oweveri since (x, y) was chosen before the result was known 
to S there is at least 50% probability that S could not have done this. Z only 
has 50% probability of outputting 1 in the ideal process and it can therefore 
distinguish. 



Adaptive security in the erasure model. We can deal with an adversary that may 
adaptively corrupt voters quite easily. The voters simply erase the plaintext vote 
and the randomness after they have computed the encrypted vote. This way an 
adaptive adversary does not learn anything by corrupting a voter. We find the 
erasure model to be somewhat reasonable since a good voting system should 
specify that voters delete the randomness and the vote used in order to give 
some rudimentary receipt-freeness. 

To guard against adversaries that adaptively corrupt authorities we can use 
techniques from [18,19,20]. Let us briefly sketch how to do this. All the homo- 
morphic cryptosystems in [4, 6, 5, 7] require that in the decryption process we raise 
the ciphertext C or part of the ciphertext to a secret value s. In the abovemen- 
tioned schemes we share s using a polynomial / of degree t — 1, and give each 
authority a share s t = /(?’). Lagrange interpolation can then be used to perform 
the decryption. As we saw before, this technique causes trouble in the adap- 
tive setting. However, if we instead use a linear secret sharing of s, i.e. , select 
.s 1 s n - 1 at random and s n = s — then we can cope with an adap- 

tive adversary. To recover if an authority fails to provide its decryption share, 
we also use polynomials f ll ... ,f n of degree t — 1 to secret share Si, . . . , s n . I.e., 
/j(0) = Si and Sij = Authority j knows all the shares {si,j}i=i > ..., n - The 

verification keys now also include trapdoor commitments, for instance Pedersen 
commitments, to the Sjj’s. In the simulation, we pick all the shares Si, . . . ,s n 
at random. When the first honest authority is about to compute its share, it 
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computes the share such that it fits with the result and all the other authori- 
ties’ shares, and it simulates a proof of correctness. The authorities have to go 
through a more complicated protocol to compute the result and anybody wish- 
ing to verify the result also has to do more work, but it is still well within what 
is practical. The voters do not pay any performance penalty when having to use 
this type of voting scheme instead of the original type of voting scheme, for them 
the protocol looks the same. 

Adaptive security in the erasure-free model. To obtain a protocol security against 
adaptive adversaries in the erasure-free model we can use the UC threshold cryp- 
tosystem of Damgard and Nielsen [21]. One problem in this scheme is that they 
use the UC commitments of [22], which require that each voter receive an indi- 
vidual commitment key. [23] suggested to solve this problem using non-malleable 
commitments, and better efficiency can be obtained if we use simulation sound 
commitments [24]. We can combine the protocols with zero-knowledge proofs of 
the type in [7] to prove correctness of the votes. Making it all non-interactive 
using the Fiat-Shamir heuristic, we obtain a fairly efficient voting scheme, which 
is secure against adaptive adversaries in the erasure-free setting. More details on 
this scheme are offered in [8]. 



Acknowledgment. Thanks to Ivan Damgard for asking whether the schemes 
based on homomorphic threshold encryption are secure in the universal compos- 
ability framework. 
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Abstract. We propose a formal model for security of verifiable shuffles 
and prove security of a number of recently proposed shuffle schemes in 
this model. The model is general and can be extended to mix-nets and 
verifiable shuffle decryption. We propose a new efficient verifiable shuffle 
system based on Paillier encryption scheme and prove its security in the 
proposed model. 

Keywords: Privacy, verifiable shuffles, formal security model, mix-nets, 
Paillier public-key system. 



1 Introduction 

A shuffle takes an input list of ciphertexts and outputs a permuted and re- 
encrypted version of the input list. Re-encryption of a ciphertext can be defined 
for encryption systems such as El Gamal and Paillier encryption systems, and 
allows generation of ciphertexts d from a given ciphertext c such that both 
ciphertexts correspond to the same plaintext m under the same public key. 

The main application (motivation for the study) of shuffles is to construct 
mix-nets , a cryptographic system introduced by Chaum [3] for providing com- 
munication unlinkability and anonymity. Mix-nets are among the most widely 
used systems for providing communication privacy, and have found applications 
in anonymous email system [3], Web browsing [9], electronic voting [18], anony- 
mous payment systems [4], location privacy for mobile networks [16] and mobile 
IP [4], secure multiparty computation [14] and privacy in advertisements [15]. 

A mix-net consists of a number of mix-centres that collectively permute and 
decrypt the mix-net input list. Shuffles are used to implement mix-centres. A 
basic shuffle permutes its input list of ciphertexts through re-encryption. Mix- 
centres may also partially decrypt the list, hence called shuffle decryption. Mix- 
nets that use shuffle decryption could be more efficient but in case of failure of 
one of the mix-centres, they need more computation to recover [8]. 
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The main security property of shuffle systems is providing unlinkability of 
elements of its input to the elements of the output list for outsiders, and so 
effectively keeping the permutation secret. We refer to this property as shiLffle 
privacy. A second important property of shuffles is verifiability : that is providing 
a proof that the output is correctly constructed. Verifiability of shuffles is used 
to provide robustness for the mix-net: that is ensuring that the mix-net works 
correctly even if a number of mix-servers are malicious. This is an important 
property of mix-nets and so verifiability of shuffles has received much attention. 
Shuffles must be efficient and the cost is measured in terms of the amount of 
computation and communication that is required for providing privacy for n 
users. 

In this paper we focus on verifiable shuffles. Privacy of shuffles has tradi- 
tionally been equated to the zero-knowledge property of the proof system used 
for verifying correctness. Recently a number of efficient constructions for verifi- 
able shuffles have been proposed. In Crypto’01, Furukawa and Sako [6] gave a 
characterisation of permutation matrices in terms of two equations that can be 
efficiently proved, hence proposing an efficient (3 round proof system) verifiable 
shuffle. However in a subsequent paper [7], they noted that the proof system 
was not zero-knowledge. They however gave a definition of privacy for shuffles 
and showed that the protocol satisfied that definition. The definition requires 
that the verifier cannot learn anything about the ’relation’ between the output 
of the shuffle and its input, using the transcript of the protocol. Neff [18,19] and 
later Grotlr [13] proposed shuffles that provide zero-knowledge property for their 
proofs. 

As noted above the notion of privacy varies among shuffles and no formal 
model for verifiable shuffles has been suggested so far. Such a formalisation will 
be also important for formalising security of mix-nets. Recently proposed attacks 
[1,20,25] against mix-nets clearly demonstrate the need for such a model. 

The first contribution of this paper is to give a formal model for shuffles 
that allows us to have a unified approach for assessment of shuffle systems. Our 
definition of shuffle privacy is motivated by observing the similarity between a 
shuffle hiding the permutation, and an encryption system hiding the input mes- 
sage. We consider adaptive attacks by an active adversary that uses a chosen 
permutation attack ( CPAs ) (similar to chosen plaintext) and chosen transcript 
attack ( CTAs ) (similar to chosen ciphertext) . A subtle difference between this 
model and the model of a traditional encryption system is that in this case the 
adversary does not only specify the distribution of challenge permutation (i.e. 
plaintext) but also another input, the list of input ciphertexts. We allow the 
adversary to choose this input ciphertext list adaptively and also know the cor- 
responding plaintext list. Using this approach, notions of privacy can be defined 
in line with semantic security and indistinguislrability. We prove that these two 
notions of privacy are equivalent and can be interchangeably used. The definition 
of verifiability is based on the notion of completeness and soundness of the proof 
system. We note that the prover, the shuffle, does not have access to the pri- 
vate key of encryption. This is the first complete model for shuffle security with 
active adversary and under CPAs and CTAs- The model can be extended to 
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verifiable shuffle decryption and mix-nets, and so providing a unified framework 
for security evaluation of these systems. We prove security of Furukawa-Sako, 
Neff and Groth schemes in this model. 

A second contribution of this paper is proposing a new efficient verifiable 
shuffle based on Paillier encryption system [22]. Paillier encryption system pro- 
vides semantic security against adaptive chosen plaintext attack (CPA) in stan- 
dard model and similar to El Gamal cryptosystem, it is possible to define a 
re-encryption operation for it. The shuffle uses Furukawa-Sako approach for 
characterisation of permutation matrices but has computations over a composite 
modulus which complicates security proofs (We have to prove Theorem 6 and 
Theorem 7). We prove privacy and verifiability of the shuffle in our proposed 
model. The proof technique can also be used to prove privacy of Furukawa-Sako, 
Neff and Groth schemes in our model. Compared to Furukawa-Sako and Groth, 
our proof system has a more efficient initialisation phase and similar to Groth’s 
shuffle, does not require the message space to be prime (a product of two primes 
instead) . By using the NM-CCA robust threshold version of Paillier encryption 
scheme [5], a robust mix-net can be constructed from our verifiable shuffle, as 
will be shown in the full version of our paper [21]. 

The organization of the paper is as follows. In section 2, we recall some 
background on public-key encryption schemes and shuffles. Section 3 provides 
our formal definitions of verifiable shuffles and its security requirements. Section 
4 gives a verifiable shuffle based on Paillier public- key system, its security proofs 
and efficiency analysis. 



2 Background 

2.1 Public-Key Encryption Schemes 

A public-key encryption scheme consists of three probabilistic polynomial time 
(PPT) algorithms (G, E, D). The key generation algorithm G on input l l outputs 
( pk , sk) where pk is a public key, sk is the secret key and l is a security parameter. 
The encryption algorithm E takes as input the public key pk and a plaintext and 
outputs a ciphertext. The decryption algorithm D takes as input the secret key 
sk and a ciphertext and outputs a plaintext. A public-key encryption scheme may 
have a re-encryption function. Following the definition in [24], this means there 
is a PPT algorithm R that takes as input the public key pk and a ciphertext and 
outputs another ciphertext such that for every plaintext m and its ciphertexts 
c and d\ Pr[d = R p k{c)] = Pr[c' = E p k(m)} (2.1). A public-key scheme with a 
re-encryption function is denoted by (G, E, D, R). Note that we write E p k(m), 
D s k(c) and R p k{c ) instead of E(pk,m ), D(sk,c) and R(pk,c) respectively. 

Due to space limitation, for a discussion about encryption security require- 
ments, including semantic security (SS), indistinguishability (IND) and non- 
malleability (NM) against chosen plaintext attacks (CPA) and chosen ciphertext 
attacks (CCA), we refer to the full version of this paper [21]. 
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2.2 Paillier Public-Key System 

Key generation: Let TV = pq , where p and q be large primes. Denote A as 
Carmichael value of TV, so A = lcm(p — l,q — 1). The public key is pk = TV 
and the secret key is sk = A. Hereafter, unless stated otherwise we assume all 
modular computations are in modulo TV 2 . 

Encryption: Plaintext to G Z n can be encrypted by choosing an r Gr Z ^ (i.e. 
chosen randomly and with uniform distribution from Zff) and computing the 
ciphertext g = r N ( 1 + mTV). 1 

Re-encryption: A Paillier ciphertext g for a plaintext m can be re-encrypted as 
g' = r' N x g for the same plaintext to, where r’ Gr Z^- The re-encryption 
satisfies the condition (2.1) above. 

Decryption: Ciphertext g G Z* N2 can be decrypted as to = L(g x mod N 2 )/\ mod 
TV, where the function L takes its input from the set {u < N 2 \u = 1 mod TV} 
and is defined as L(u) = (u — 1 )/TV. 

Decisional Composite Residuosity Assumption (DCRA): A number z G Z* N2 is said 
to be an e-th residue mod TV 2 if there exists a number y G Z* N2 such that z = y e . 
DCRA states that there is no polynomial time distinguisher for the iV-th residues 
modulo TV 2 . 

Security: Paillier encryption scheme has SS-CPA if and only if DCRA holds. 
NM-CCA robust threshold encryption scheme: Using the twin-encryption paradigm 
of [17], Shamir sharing scheme [23], the proof of equality of discrete logs and a 
simulation-sound proof of equality of plaintexts, Fouque and Pointcheval [5] pro- 
posed a NM-CCA robust threshold encryption scheme based on Paillier public- 
key system that is proved secure in the random oracle model. This encryption 
system can be used to construct a robust mix-net. 



2.3 Furukawa-Sako Shuffle 

Furukawa and Sako [6] proposed an efficient verifiable shuffle based on El Gamal 
public-key system. In their scheme, a permutation is represented as a matrix 
(Definition 1) and their proof system is based on proving two equations based on 
the matrix (Theorem 1). However, Furukawa-Sako’s proof of zero-knowledgeness 
is not correct [7]. 

Definition 1. A matrix (A,y) nx „ is a permutation matrix modulo k if it satisfies 
the following for some permutation 7 r 

A _ ( 1 mod k if n(i) = j 
13 \ 0 mod k otherwise 



1 Paillier encryption is originally defined as g = r N e m , where e G Z* n2 and its order in 

modulo N 2 is a non-zero multiple of N. For efficiency we use e = 1 + N. Our results 
do not depend on this choice and are true for all values of e. 
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Theorem 1. A matrix ( Aij) nxn is a permutation matrix modulo q, where q is 
a prime, if and only if for all i, j and k, both 



^2 A n A H 
1 = 1 
n 

AnAijAik 
i = i 



1 mod q if i = j 

0 mod q otherwise 

1 mod q if i = j = k 
0 mod q otherwise 



hold. 



3 Security of Verifiable Shuffles 



3.1 Notation and Terminology 

For a list L of elements, \L\ denotes the size of the list, L[i] denotes the i th 
element of the list and 7 r(L) the list of elements in L permuted by a permutation 
7 r. Let T n denote the set of all permutations on (1, A positive polynomial 

is a polynomial for which the leading coefficient is positive. Let poly(n) refer 
to some fixed but unspecified polynomial and U n denote a random variable 
uniformly distributed over {0, 1}™. When a PPT algorithm M takes an input x 

and produces an output y, we write y M ( x ) and denote Cff J the probabilistic 

input (sequence of internal random coin tosses) of M. For example, if Paillier 
ciphertext g = r N ( 1 + mN), then = r. We can abuse this notation by 

writing Cp^ instead of and similar for D s k and R p k . We use C^f’ Ly 

to denote the list of probabilistic inputs of M where the ith element of the list 
is the probabilistic input that takes the ith element of the list L x to the ith 
element of the list L y . The set of possible outputs of M on input x is denoted 
by [M(x)]. 

The adversary is modelled by an oracle machine which is a Turing machine 
with additional tapes and states allowing access to some oracles that provide 
answers to queries of the defined types. An interactive proof system {V , V) con- 
sists of two party: a prover V and a verifier V. Each party can be modelled by 
an interactive machine, which is a Turing machine with additional tapes and 
states allowing joint communication and computation with another interactive 
machine. Formal descriptions of oracle machines and interactive machines can 
be found in [10] . For a proof system {V, V) , V iewy (x) denotes all that V can see 
from the execution of the proof system on input x (in other words, the transcript 
of the proof system on input x). 



3.2 Syntax of Shuffles 

First, we define a language to describe that a list of ciphertexts is a permuted 
and re-encrypted version of another ciphertext list. 
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Definition 2. Suppose 1ZV = ( G,E,D,R ) is a public-key scheme with a re- 
encryption function. Define a language Crp of tuples (pk, Li, L 2 ) such that pk 
is a public key generated by G and L 2 is a permutation of re- encryptions of 
ciphertexts in L\ produced by R p k- The witness w(pk, Li, L 2 ) includes the per- 
mutation and the list of probabilistic inputs of R p k- 

Trp = {(pk, L\, L 2 )|(|£i| = 1^1) A 

(3tt £ Tj Ll |,Vi £ {1, \Li\} : L 2 [ 7r (*)] € [Rpk(T \ [*])])} 

w(pk,L 1 ,L 2 ) = (ir,C$£ ) ’ La ) 

A shuffle takes a list of ciphertexts and outputs a permuted list of their re- 
encryptions. If verifiable, it then runs a proof system to prove that the output 
is really a permutation of the re-encryptions of input ciphertexts. This can be 
formally defined as follows. 

Definition 3. A shuffle is a pair, (7 ZV,S), such that: 

— 1ZV is a public-key scheme with a re- encryption function (G,E,D,R). Sup- 
pose the algorithm G generates a pair (pk,sk). 

— The PPT algorithm S takes as input a public key pk, a list of n input cipher- 
texts Li n nnd a random permutation w £ T n , and outputs a list of n output 
ciphertexts L out . S performs correctly if L out is a list of re- encryptions of 
ciphertexts in Li n permuted by 7r. 

Definition 4. A verifiable shuffle is a tuple, (1ZV, S, (V, V)), such that: 

— 7 ZV and S are defined as in Definition 3. 

— The proof system (V,V) takes input pk, L in and L out from S and proves 
that (pk, L in , L out ) £ C-R-p. The private input to V includes only the witness 
w(pk, L in , L out ) and does not include the private key sk. 

3.3 Security Definitions 

There are 2 security requirements. Privacy requires an honest shuffle to pro- 
tect its secret permutation whereas verifiability requires that any attempt by a 
malicious shuffle to produce an incorrect output must be detectable. 

We assume an honest verifier for the proof system (V, V). 



Verifiability. The proof system proves that the output of the shuffle is a per- 
mutation of the re-encryptions of the input ciphertexts. In other words, it is a 
proof system for the language Crr. The proof system should satisfy two con- 
ditions, completeness and soundness. The completeness condition states that 
for all x £ C-R-p, the proof system accepts with overwhelming probability. The 
soundness condition means that for all x ^ Crp the proof system accepts with 
negligible probability. In both definitions of completeness and soundness, we 
capture the non-uniform capability of the adversary by using a (non-uniform) 
auxiliary input t. 
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The private input y of the prover does not include the private key sk but 
may include information about the lists of plaintexts , A out and the corre- 

Yj. L 

sponding probabilistic inputs Cfff) ’ C E °fff’ ou . The following definition is for 
interactive proof systems but can be trivially modified for non-interactive proof 
systems. 

Definition 5. A shuffle (KV, S, (V, V)) is verifiable if its proof system (V,V) 
has a polynomial-time V and satisfies two conditions: 

— Completeness: For every PPT algorithm A and every positive polynomial 
p(), there exists an Iq such that for all l > Iq and t £ {0, lff ol v( l '> t it holds 
that 

) • b’) (pk? L in , L 0 ut ) 1 given (pk, T ? ; n , L ou t) k-'iz'p 

where (pk, sk) ■£- G(l l ), 

ii i? 

(^ini Lout) 4 A(pk, t), 
y ■£- w(pk 7 L ini L out ) 

— Soundness: For every interactive machine B, every PPT algorithm A and 
every positive polynomial p(), there exists an Iq such that for all l > Iq and 
t £ {0,l} poJy ^ ; it holds that 



1 

< P( 0 



Pr 



(B(y),V)(pk, L in , L out ) = 1 given (pk, L in , L out ) C-rv 

where ( pk,sk ) G(l l ), 

R 



(tTj h-Ji n , L ou t . ) f A(pk. t) , 

/ (— r(p) Tin /-(p) 

y ^ ^ L in > C E pk 



(P) T 

T VP) ri J - , ouf L, out\ 

^OUt^Er,k / 



> 1 - 



v{l) 



Privacy. First assume the algorithm S performs correctly and the aim is to 
model concealment of the permutation. The shuffle is a public key transforma- 
tion that hides the permutation through re-encryption. This can be viewed as 
’encryption’ of permutation through the process of re-encryption hence using 
notions of ’concealment’ of plaintexts in encryption systems to model privacy. 
We consider 2 types of adaptive attacks by active adversaries. Chosen permu- 
tation attack (CPAg) is similar to chosen plaintext attacks and the adversary 
can obtain transcripts of the shuffle executions corresponding to permutations 
that the adversary adaptively chooses. Chosen transcript attack (CTAs) is sim- 
ilar to chosen ciphertext attacks and the adversary obtains permutations that 
correspond to valid shuffle transcripts that it adaptively chooses. The transcript 
of a verifiable shuffle’s execution consists of the lists of input ciphertexts and 
output ciphertexts and the transcript of the proof system. An adaptive attack 
has 4 steps. 

• Key generation: A trusted party generates the keys ( pk,sk ) ■£- G(l l ). The 
adversary is given (1 1 ,pk). (sk is used for decryption and is also not given to the 
shuffle.) 
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• Oracle queries: The adversary (adaptively) uses the information obtained so 
far to make queries to some oracles. The types of oracles determine the type 
of the attack (CPAs and CTAg). After making a number of such queries, the 
adversary moves to the next stage. 

• Challenge generation: Using the information obtained so far, the adversary 
specifies a challenge template, according to which an actual challenge will be 
generated. 

• Additional oracle queries: Based on the information obtained so far, the ad- 
versary makes additional queries as in Step 2 and then, produces an output and 
halts. 

The adversary’s strategy consists of two stages, each represented by a PPT 
oracle machine, and corresponding to its action before and after generation of the 
actual challenge. The first part, denoted by A lt captures the adversary’s behavior 
during Step 2 and 3. A\ is given the public key pk, and its output is a pair (r, 5), 
where r is the challenge template generated at the beginning of Step 3 and <5 
is the state information passed to the second part of the adversary. The second 
part of the adversary, denoted by A 2 , captures the adversary’s behavior during 
Step 4. A 2 is given the state information 6 and the actual challenge o generated 
in Step 3, and produces the adversary’s output. We let each oracle machine to 
have a (nonuniform) auxiliary input t. This is to capture the nonuniform power 
of the adversary. It suffices to give t to only the first machine as A\ can pass 
this input to the second machine as part of the state information S. A similar 
argument shows that it suffices to provide the public key only to A\. We write 
(t,S) £- Af racles (pk,t), and v A 2 racles (S, o). where Oracles specifies oracles 
that are available to the adversary. 

Notions of Privacy: We consider two notions of privacy. Semantic privacy 
formalizes the intuition that whatever is computable about the permutation from 
a shuffle execution transcript must be also computable without the transcript. 
In formalising this notion under CPAs and CTAs we consider the following 
challenge templates. The challenge template includes a triplet of polynomial-size 
circuits II n , h n , /„ and a list of n ciphertexts L in . 7T„ specifies a distribution on 
the set T n (of all permutations on {1, ..., n}): it takes poly{l)~ bit ( l is the security 
parameter) input and outputs a permutation n £ T n . The information regarding 
the permutation that the adversary tries to obtain is captured by /„, whereas 
the a-priori partial information about the permutation is captured by h n . The 
actual challenge includes the list of output ciphertexts L out , the transcript of 
the proof system, Viewy (pk, L in , L out ) , the partial information h n (ir), the list 
of n input ciphertexts Li n , the list of n corresponding plaintexts and the 

list of probabilistic inputs . The inclusion of lA‘ r ’ and C E '" k ’ models 

the fact that the adversary can somehow know all the plaintexts of the input 
ciphertexts to the shuffle. The adversary’s goal is to guess f n {i r). 

The second notion of privacy is indistinguishability and means that it is 
infeasible to distinguish transcripts of two shuffle executions that correspond to 
two permutations of the same size. In the definitions of IND-CPAg and IND- 
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CTAs, the challenge template consists of a pair of permutations 7rm,7T(2) £ T n 
and a list of n ciphertexts L ln . The actual challenge is the transcript of the shuffle 
execution corresponding to one of the permutations and consists of the list of 
output ciphertexts L out , the transcript of the proof system View^ ( pk , Li n , L out ), 

the lists of input ciphertexts L vn and the corresponding plaintexts Lff , and the 

£ (p) ]j in 

probabilistic inputs C' E ‘" ’ ,n of the input ciphertexts. The adversary’s goal is 
to distinguish the two possible cases. 

Attacks: We consider two attacks. 

(Chosen permutation attack) The adversary has access to two oracles. The first 
oracle takes a permutation and a list of input ciphertexts and produces a ci- 
phertext list output by the algorithm S and corresponding to the input list, 
and the transcript of the proof system ( V , V) when the shuffle interacts with 
an honest verifier. The second oracle takes a plaintext and returns the cipher- 
text encrypted by algorithm E p k corresponding to plaintext. The adversary is 
adaptive and queries are chosen by taking the results of all previous queries into 
account. We note that in CPAs the adversary can compute all answers to the 
queries using public information however using oracles provides consistency in 
our presentation. 

Definition 6. A verifiable shuffle (1ZV, S , (V, V)) is said to have semantic pri- 
vacy under chosen permutation attack (SP-CPAg) if for every pair of PPT oracle 
machines, Ai and A 2 , there exists a pair of PPT algorithms, A[ and A' 2 , such 
that the following two conditions hold: 

1. For every positive polynomial p(), there exists an Iq such that for all l > Iq 
and t £ {0, \}p o1v ^ 1 \ it holds that 

= /n(7 r) where 

(pk, sk) -F- G(l l ), 

i(n n ,h n ,f n ,L in ),S) £ A[ s ' {vy)) ’ E * k (pk,t), 

Ft 

Lout £- S(pk,L in , 7r) where n y- II n (U po i y (i )), 

^ f (Lout ? Viewy (pk, L^ n , L OU f ) , h n (tt) , L^ n , L^ n , L ^ k ) , 

v ^ A (sdvy)), Epk ^ o) 

v = f n ( 7r) where 

((Lint h n , fn), (5) A’i(l l , t), 

^ t LI n (U p oly{l)) , 
v F- A' 2 (S, 1”, h n (ir)) 

2. For every l and t above, the parts (LI n ,h n , f n ) in the random variables 
A^ S ’^ :> ’ v ))’ Epk (pk,t) andA[(l l ,t) are identically distributed. 

Definition 7. A verifiable shuffle (LLP, S, (V, V)) is said to provide indistin- 
guishability under chosen permutation attack (IND-CPAs ) if for every pair of PPT 
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oracle machines, A\ and A 2 , for every positive polynomial pQ, there exists an 
l 0 such that for all l > Iq and t £ {0, 1 }p o G(0 ; n holds that 



\p 



(i) 

l,t 



Pu. I 



< 



1 

P{1) 



where 



v = 1 where 

( pk , sk) •£- G(l ! ), 

(i) A ((7 Ri),7T(2 ),L in ),8) £ A[ S ' iV ’ V)) ' Epk (pk,t), 

Pl,t _ Pr L out S(pk,L in ,n (*)), 

O t {L 0 ut, P iew v ( pk , Li n , Lout), Lin , L' in , C 



V £- 



R A( S, ( V,V)),E pk ^ o] 



L^M, 

Epk 



•)> 



where 7T( 1 ),7r (2 ) £ T n . 

The following theorem shows the equivalence of SP-CPAg and IND-CPA5. 
The proof is similar to the proof of the equivalence of SS-CPA and IND-CPA 
[ 111 - 

Theorem 2. A verifiable shuffle (7 ZV, S,(V,V)) provides SP-CPAg if and only 
if it provides IND-CPAs- 

(Chosen transcript attack) In this attack, in addition to two oracles described 
before, the adversary has access to another oracle T, that takes a transcript of a 
shuffle execution and returns the corresponding permutation if the transcript is 
valid, and an error symbol, otherwise. We assume that in step 4, the adversary 
can not use the transcript in the actual challenge as the query to T. 

We note that if the shuffle does not provide verifiability, then the adversary 
can always learn the permutation. This is because the shuffle transcript consists 
of an input and an output ciphertext list and the adversary can use re-encryption 
to generate another input and output ciphertext list that he can present to T 
and obtain the permutation. For verifiable shuffles, the attack can be prevented 
by using proof systems. For example, informally, by adding proofs of knowledge 
in the verifiability proof, construction of new valid transcripts from old ones can 
be prevented. 

Definitions of SP-CTAg and IND-CTAg and the theorem stating their equiv- 
alence are quite similar to Definition 6, 7 and Theorem 2 and can be found in 
the full version of this paper [21]. 



3.4 Applications to Some Verifiable Shuffles 

The following theorems shows security of the Furukawa-Sako [6], Neff [19] and 
Groth [13] verifiable shuffles. The proof of Verifiability (Theorem 3) can be con- 
structed from proofs of Completeness and Soundness in the corresponding pa- 
pers. The proof of SP-CPAg (Theorem 4) is similar to the verifiable shuffle in 
the next section. 
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Theorem 3. Furukawa-Sako shuffle provides Verifiability if Discrete Log As- 
sumption holds. Neff shuffle achieves Verifiability with overwhelming probability. 
Groth shuffle provides Verifiability if the encryption scheme provides SS-CPA 
and the commitment scheme is secure. 



Theorem 4. Furukawa-Sako and Neff shuffles provide SP-CPAg if Decisional 
Diffie- Heilman Assumption holds. Groth shuffle provides SP-CPA$ under con- 
ditions specified in Theorem 3. 

4 A Verifiable Shuffle Based on Paillier Public-Key 
System 

4.1 Description 

In our verifiable shuffle, the public-key re-encryption scheme 1ZV is the Paillier 
scheme. The public key is pk = N and the secret key is sk = A. The algorithm S 
takes pk, a list of Paillier ciphertexts g\, ...,g n £ Z* N 2 and a permutation n and 
outputs another list of Paillier ciphertexts g' 1 ,...,g' n £ Z* N - 2 . The proof system 
(V, V) is described in the next subsection. 



4.2 Proof System 

The proof system (fP,V) proves that the prover P knows permutation 7r and 
r„ £ Z* N so that g\ = r^g^-iyy The input to the proof system is N , 
{gi}, { g'i }, i = 1, ..., n. Suppose there is a publicly known set { 5 ,:}" =1 of elements 
in Z * N 2 , which is generated randomly and independently from the ciphertexts. 
Therefore if DCRA holds, then it is easy to show that without knowing the 
secret key sk, it is infeasible to obtain non-trivial {aj} so that there exists z £ Z* N 
satisfying JX" =1 9i ai = zN i R polynomial time. Represent the permutation n by 
a permutation matrix (Aij) nxn , the protocol is as follows: 

1. V generates: a t £ R Z N , a, fj, a, Si, p, pi, t, n € R Z* N , i = 1, ..., n 

2. V computes: 



9i = n N Y[gj Aii ] Wi = (1 + N^T2a J A ji ), i = 1 g = o V ] [ 



3 = 1 



3 = 1 



3=1 



f = a N Y[gj aj ; v = p N (l + N^a?); w = t n (1 + a?) 



3=1 



3=1 



3=1 



U = S i f i l + N^23a j A ji )-, i)i = pf (1 + N^ScXjAji), i = 1, ...,i 
3=1 3=1 



3. V — >V: {ff'},ff,gy{ii},{vi},v,{wi},w, i = l,...,n 

4. V i — V: challenge {c*}, c* G R Z N , i = 1, ...,n 
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5. V — > V: the following responses 

n n 

Si = Y^ AijCj + a,; mod TV, i = 1, n; s = a fi Ci gi di mod TV 
3=1 i = 1 

n n 2 n 

s = a n r i i 9i i moc ^ ^ u — p n mo ^ ^ — r n T i i m °d n 

2=1 2=1 2=1 

where di = (]T]" =1 A ij c j + a i ~ s,:)/TV, i = 1, n (so di can only be 0 or 1) 

6. V verifies: 



n 




3=1 



n n n 2 

g 1 n ujv ( i + n ^Z( s3 j - c ?)) = ' n vfHj 0 * 

3=1 3=1 3=1 

s' n 9 T ; ^(i + TV ]T(s? - c])) = w Wj c i 

3=1 3=1 3=1 



4.3 Security 

The proposed shuffle provides Verifiability and SP-CPAg under DCRA, as stated 
in Theorem 5 and Theorem 8. 

Theorem 5. The shuffle achieves Verifiability if DCR A holds. 

To prove Theorem 5, we need Theorem 6 and Theorem 7. The rest of the proof 
of Theorem 5 is quite similar to the Completeness and Soundness proofs of 
Furukawa-Sako scheme [6] and can be found in the full version of this paper [21]. 



Theorem 6. A matrix (A,j) nx „ is a permutation matrix modulo TV or there 
exists i'ff’ such that gcd(Ai'ji , TV) = p, if for all iff, k, both 



n 

Y A H A lj = 
1 = 1 
n 

Yj A li A lj A lk = 
1=1 



1 mod TV if i = j 
0 mod TV otherwise 


(1) 


1 mod TV if i = j = k 
0 mod TV otherwise 


(2) 



hold. 



Proof. Suppose a matrix (Aij) satisfying (1) and (2), then (A^) is a permutation 
matrix mod p and also a permutation matrix mod q, based on Theorem 1. 
Therefore, if (A. (J ) is not a permutation matrix mod TV, then there exists i'ff' 
such that Ai'jf = 0 mod p and Ayy = 1 mod q. It leads to gcd(Ai' y , TV) = p. 



Theorem 7. Denote (5% the vector space spanned by a set of vectors S in 
modular k and | /S'! the number of elements in S. Suppose a set of vectors S n = 
{(l,ci, ...,c n )|(ci, ...,c n S Z N ) A ($Q n C S n : \Q n \ = n + 1 A {Q n ) P = Zp +1 A 



( Q n )q = Zg +1 )}. Then |5 n | < ( p + q)N r 
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Proof. It is proved by induction as follows 

— n = 1: Suppose a set of vectors S i C {(1, c)|c £ Zn} satisfying | | > ( p+q ); 
and a vector (l,ci) £ Si. Consider a set Si = {(l,ci + kp mod N)\k £ 
Z q }U{(l,ci + kq mod N)\k £ Z p }. As |i?i| =p + q — l, there exists 4 £ Zn 
so that (1,4) £ Si but (1,4) ^ i?i. Then Qi = {(1, ci), (1, 4)} satisfying 
\Qi\ = 2 A (Qi) p = Z 2 A (Qr) 9 = Z 2 )}. 

— Assume it is right for n. We prove it is also right for n + 1. Let a set S„+i = 
{(1, Cl , . .. , Cn-f-l) | (Cl , . . . , C n _ri £ -Z/V ) A (^Qn+l C S n -|_i . | Qn+1 | A 2 A 
(Qn+i)p = ^p +2 A (Qn+i)q = ^ +2 )}- Consider S(, = {(l,ci, ..., c„)|3c n+1 £ 
Zn : (1, ci, c n , c n+ i) £ S n+ i}, there are two possibilities: 

1. If 2Q'„ c s; : |Q;| = n+lA <Q'„) p = A (Q' n ) q = Z*+\ then 
|S;| < (p + q)N n ~ 1 , as the theorem is right for n. So |S„ + i| < |S^|Af < 
( p+ q)N n . 

2. If 3Q' n C S' n : |Q'„| = n + 1 A <<&>„ = Z p " +1 A (Q'J, = ZJ+ 1 , select a 
set T of n + 1 vectors (1, Cji, ..., Cj( n+ i)) £ S n +i, i = 1, n + 1 so that 

Qn = {(1) Cil, ..., Cj n )} 

( 1 C ] ] ... Ci n \ 

mod IV, then gcd(d,N) = 1, so d _1 

1 C( n _)_ip ... C( n _|_i) n y 

mod IV exists. 

For each vector x = (1, xi, ..., x n +i) e S„+i (including those in T), let 



/ 1 C 11 ••• c l(ra+l) \ 



d x = det 



I 1 c (n+ 1)1 ••• c (n+l)(n+l) I 

\1 Xi ... X n+ i / 



dx„ + i — F(x i,...,x n ) mod IV 



for some function F. The conditions of S„+i leads to either d x = 0 mod 
p or d x = 0 mod g. 

Suppose da, = 0 mod p, then x„+i = d~ x F{x i,...,x„) mod p, so the 
number of possible vectors x = (1, xi, ..., x n +i) is no more than qN n . 
Similar for the case d x = 0 mod q, the number of possible vectors x = 
(l,xi, ...,x n +i) is no more than pN n . So |5„+i| < (p+ q)N n . 



Theorem 8. The shuffle achieves SP-CPAs if and only if DCRA holds. 

Based on Theorem 2, proving Theorem 8 is equivalent to proving Theorem 9 
below. We need Definition 8 and Lemma 1 to prove Theorem 9. Proof of Lemma 
1 can be found in the full version of this paper [21]. 

Definition 8. Define R m to he the set of tuples of m elements in Z * N 2 and 
subset D m of R m to be the set of tuples of m N-th residues modulo N 2 . We 
then define the problem of distinguishing instances uniformly chosen from R m 
and those from D m by DCRA m . 

Lemma 1. For any m > 1, DCRA m is easy if and only if DCRA is easy. 
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Theorem 9. The shuffle achieves IND-CPA$ if and only if DCRA holds. 



Proof. Suppose the challenge template includes two permutations 7rm,7T(2) £ T n 
and a list of ciphertexts L j n = (gi , ..., g n ). The actual challenge o to the adversary 

/ \ ^(p) . 

includes L in , the list of corresponding plaintexts LPf , C E in ’ ,n , a list of re- 
encryption ciphertexts L out = (g {, .... g' n ) and 

Viewv{pk,L in ,L out ) = ({gi}, { 3 '/}, {ti}, {%}, {uh}, v, w, {c;}, {sj, s, s, u, u) 



satisfying: g' = s N [I'Ll '/{'</' Cj 

9' = 3 N nU9Y i 3~j'- Ci 



= u N (i +^E"=i(«j-s 3 )) n -=i 



v N (i + ivE;= 1K 2 - s 2 )) n; =1 



Compute l-nfi) (/ii , , h n , h\ , . h n , t \ , 






, «h, -,w„), where 



= s* - c 7r(1)( i) mod IV; hi = g-/g - i (i) , i = 1, ...,n 
hi = u = ii/( 1 + * = 1, ...,n 

W = «i/(l + NZa 2 1 , 0; Wf = mi/(l + N2a i = 1, ...,n 



Then 7T(i) is the permutation used for the actual challenge o if and only if /, T(1) £ 
D§ n . Therefore, based on Lemma 1, if the actual challenge o is computationally 
distinguishable under chosen shuffle attacks, then DCRA is easy, and vice-versa. 



4.4 Efficiency 

The proposed shuffle has the round efficiency (3 rounds) and the number of 
exponentiations (about 18n) of Furukawa-Sako protocol, compared to Grotlr’s 
protocol with a 7 round proof. The shuffle has less rounds and requires smaller 
number of exponentiations compared to Neff’s protocol with 7 rounds and 23n 
exponentiations. (Note that exponentiations in our case is modulo N 2 which is 
more expensive than modulo p and so the number of bit operations in Furukawa- 
Sako’s shuffle is smaller.) Compared with Furukawa-Sako and Groth’s proof sys- 
tem, our proposed proof system has a more efficient initialization phase. In both 
those systems for El Gamal ciphertexts, a set of subgroup elements is used. 
Construction of these elements in general is computationally expensive [19]. Our 
proof system also relies on a set ({gi, ...,g n }) of elements of Z* N2 that are just 
randomly generated. 
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Abstract. An AONT is an efficiently computable transform with two 
properties. Given all the bits of its output, it is easy to retrieve the 
message. On the other hand, if sufficiently many bits of the output are 
missing, it is computationally infeasible for an polynomial-time adver- 
sary to learn any information about the message. The natural intuition 
then may be deduced that if an secure AONT is used in a cryptosys- 
tem, the whole system will be secure as long as sufficiently many bits 
are “protected”. However, we show this is not enough. Our results are 
three-fold: First we answer an open problem raised in [6], showing that 
previous definitions are not sufficient to guarantee a provably secure cryp- 
tosystem with strong data privacy, namely, indistinguishability against 
chosen ciphertext attack (IND-CCA). Second, we give a new definition to 
AONT, showing this definition suffices to guarantee an AONT integrated 
with any encryption functions to acquire IND-CCA secure cryptosystems. 
Third, we give concrete constructions that satisfy the new definition. 



1 Introduction 

The Concept. All-or-Nothing transform (AONT) was introduced by Rivest in 
[17] to increase the cost of brute force attacks on block ciphers without changing 
the key length. As originally defined in [17], an AONT is a randomized transform 
T that can be computed efficiently mapping sequences of blocks (aq, ..., x n ) to 
sequences of blocks (jq, ..y n '), with the following properties: 

— If all the T(aq, ... ,x n ) = {y\, ...,y n ’) blocks are given, it is easy to compute 
(aq, ... ,x n ). 

— Even if one of the blocks of output (y%, ...,y n i) is missing, it is infeasible to 
find out any information of any of the original blocks (aq, ...,x n ). 

If such a transform is applied to a message producing a sequence of output 
blocks, and each of these blocks is encrypted by a block cipher, interestingly, an 
adversary will have no information unless it can decrypt all the cipher blocks. 
Thus the attack will be slowed down by a factor of n’ without even changing 
the length of the secret key. However, since the security of AONT and the data 
privacy of a cryptosystem were independently developed in literature, one may 
naturally ask the following questions: Is a cryptosystem secure if it is composed 
by a “secure” AONT with an encryption component? In other words, how can 
we safely utilize an AONT in a cryptosystem? In this paper, we try to give an 
answer to such questions. 

M. Jakobsson, M. Yung, J. Zhou (Eds.): ACNS 2004, LNCS 3089, pp. 76-90, 2004. 

(c) Springer- Verlag Berlin Heidelberg 2004 
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Applications of AONT. First possible category of applications, as has been 
addressed already, can be used as a mode of operation for block cipher to enhance 
the security against exhaustive search attack security without increasing key 
length, as proposed in [17,8]. AONT can also be combined with cryptosystems to 
reduce the computation cost of a bandwidth limited device. This was also known 
as remotely keyed encryption. If an AONT is performed on a long message to be 
sent, because of the nice property of AONT, only a small proportion, say a few 
blocks of output of AONT needs to be encrypted, as shown by Jakobsson, Stern 
and Yung [13]. In [14] for inclusion in the IEEE P 1363a standard, an ANOT 
was proposed to make fixed-block size encryption schemes more efficient. The 
authors further claim that this method is encryption algorithm independent, 
that is, any asymmetric or symmetric key encryption. However, this needs more 
careful discussions , as we shall show later. 

With AONT, one can design a cryptosystem with separate component, say, 
a smart card, which holds the secret key independent from the main system. By 
updating the secret keys from time to time, one can acquire strong key-insulated 
cryptosystem [9]. It was further generalized in [21] in constructing a parallel 
construction of multiple encryption to enhance the security of a single component 
cipher. Besides, as pointed out in [6], one might use AONT for gradual exchange 
of information. Suppose two users Alice and Bob want to exchange the secrets 
they hold. One possible problem is that the secret might be of different lengths. 
Then we can apply AONT to “pad” both secrets to equal length. Additional 
zero-knowledge proof should be attached to prevent cheating. 

AONT Enhances Data Privacy? From above discussion, one may naturally 
think that if a secure AONT is used in the system, the data privacy can be pro- 
tected, as long as the underlying AONT is secure and efficiently many bits of the 
transformed message are protected by the encryption component. However, we 
argue that this intuition may be not true. At least, it may be fallacious according 
to chosen ciphertext security (CCA), which is considered as a standard security 
notion for practical cryptosystems. For why chosen ciphertext security is impor- 
tant, one may refer to [18]. We have noticed that in the context of authenticated 
encryption, it has been pointed out in [3] that for several construction meth- 
ods by combining a secure message authentication code (MAC) with a secure 
encryption scheme, the resulting authenticated encryption may be insecure at 
all. ' 

Previous Definitional Efforts and Related Primitives. The first def- 
inition was given in Rivest’s original work [17], however, the definition simply 
mentions the case where the adversary “loses” a particular message block. It did 
not, however, mention the exact information that an adversary learn about the 
input with several bits invisible and how the adversary learns the information of 
the input related to bits that the adversary holds regarding the output was not 
addressed yet. 

Desai studied AONT in the context of the security of symmetric key encryp- 
tion against key search attack [8], and gave a definition of AONT. Again, in his 
model the security is defined in a block- wise manner: if there are some missing 
blocks cannot be learned by the adversary, it is considered secure. He claims 
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that this suffices in building an operation mode of block ciphers secure in the 
terms of non-separability of keys. Stinson has considered AONT from the point 
of view of unconditional security [20] . However, his treatment is also considered 
the amount of information leaked by a particular block and the definition is just 
straightforward formalization of Rivest’s definition in the information-theoretic 
security. 

Aware of this shortage, Boyko [6] gave a new definition, namely, indistin- 
guislrability [12] against adaptive attack in the random oracle model [11,4]. In 
this model, an adversary can adaptively choose the positions of bits of the output 
of AONT to learn, however, below a certain threshold. It is also proved in [6] that 
OAEP, which was proposed by Bellare and Rogaway [5] with a different goal to 
obtain IND-CCA secure encryption schemes [12,16,15,10,2], is a secure implemen- 
tation satisfying this definition, moreover, no AONT can do significantly better 
that OAEP. Later, Canetti et al. [7] gave a similar definition in the standard 
model (cf. random oracle model), furthermore, they constructed secure AONT 
under their definition based on exposure-resilient functions (ERF). They also 
proved the existence of ERF is equivalent to that of oneway functions. Though 
the existence of special class of exposure-resilient functions that are used in their 
OAEP-like construction is still left open. 

A similar notion, concealment, was proposed in the context of remotely keyed 
authenticated encryption by An and Dodis [1]. Both of these two notions provide 
secrecy of the message, when even most of the blocks are given to the adversary. 
The difference is that concealment also provides authentication (knowledge of 
the plaintext), while an AONT does not necessarily need. 



1.1 Our Contribution 

Adjusted Security Notion on AONT. We show that previous definitions 
of AONT are insufficient to guarantee cryptosystems with strong security, e.g., 
IND-CCA. We demonstrate that there exist cryptosystems, with an AONT secure 
in the sense of above definitions, however, are not secure against CCA attack. 
This also answers an open problem raised in [6] negatively, where Boyko won- 
dered if OAEP can be replaced by an arbitrary AONT in the construction of a 
CCA secure encryption scheme. We pointed out previous definitions of AONT 
were either defined in a scenario where only chosen plaintext attack (CPA) is con- 
sidered, or operates with some “ideal” encryption component, e.g., block cipher 
(often modeled as random permutation), or IND-CCA secure encryption com- 
ponent (strongest security for public key encryption). The security of AONT 
joined with arbitrary encryption component against adaptive attacks has not 
been thoroughly considered yet. 

New Definition regarding AONT. Actually, since AONT is only a ran- 
domized transform, which contains no secret key information, it may lead to 
fallacious conclusion if the security of the whole system is considered merely 
based on the security of AONT. In the real world an active attacker, who may 
be a legal user of this system, is capable of launching adaptive attacks. Thus 
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we suggest that the security of the system should be considered as a joint con- 
tribution of AONT and the encryption component. We give a new definition of 
AONT based on indistinguishability, called extended-indistinguishability , which 
is defined together with encryption component. A straightforward consequence 
turns out that if an AONT with extended-indistinguishability is used in a cryp- 
tosystem together with arbitrary encryption scheme, the resulting cryptosystem 
is IND-CCA secure. 

Construction of Extended-Indistinguishable AONTs. We also give two 
constructions of AONT satisfying the new definition. The first one, provably se- 
cure in the random permutation model, is capable for deterministic encryption 
primitives. The second one, provably secure in the random oracle model, is ca- 
pable for probabilistic encryption primitives. 

2 Preliminary 

2.1 Notations and Model 

Throughout this paper, we limit our scope within “efficiently computable” algo- 
rithms, which means that algorithms have expected polynomial execution time. 
A function / : D — > R is called negligible if for every constant l > 0 there exists 
an integer k such that f(k ) < k~ l for all k > k c , denoted by neg(fc). 

X « Y denotes that probability distribution X are computationally indis- 

R 

tinguislrable from Y . We shall use x 4— X to denote x is uniformly selected 
from distribution X. Suppose X is an algorithm, x 4— X denotes x is set to the 
output of X. We also use x © y to denote bit-wise XOR of two binary strings 
x and y. Let 17 be all the mappings from set of infinite strings {0, 1}°° to set 
of finite strings {0,1}*, then G,H •*— 17 denotes two random function G and 
H are selected uniformly from 17, whose input and output sizes should be re- 
stricted accordingly in proper context. For an integer n and L £ [l,n], we define 
h n ,L ■ {0,1}™ -A {0,1}™-I L I as for an input binary string of length n, h n t L 
returns a punctured string with the bit positions that is indicated by label L. 

2.2 Public Key Encryption 

A public key encryption scheme £ is a 3-tuple algorithm: £ = (Enc-Gen,Enc,Dec). 
Enc-Gen(l fc ) is a probabilistic algorithm, where k is the security parameter, with 
internal random coin flipping outputs a pair of keys ( pk,sk ). pk is the encryp- 
tion key which is made public, and sk is the decryption which is kept secret. 
Enc may be a probabilistic algorithm that takes as input a key pk and a mes- 
sage to from associated message space A4, and internally flips some coins and 
outputs a ciphertext c, denoted by c 4— En c p k(m), in short c 4- Enc(m). Dec is 
a deterministic algorithm takes as input the ciphertext c and the secret key sk, 
and outputs some message m € M, or “_L” in case c is “invalid”. We denote it 
by to. -i— Dec s fc(c), in short m 4— Dec(c). 

Indistinguishability under chosen-ciphertext attack (IND-CCA), is defined as: 
if no PPT adversary A can distinguish encryptions of any two messages (Mg, M\) 
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of equal length chosen by it with negligible advantage than random guess in the 
following game. We require that A runs in two stages Af m d and _4 gue ss, in which 
-4find gets side information a from the queries and output a pair of challenge 
messages, and A gL ,ess outputs a guess b on b according to the ciphertext C b 
encrypted by the Encryption Oracle with randomly chosen b G {0, 1}. According 
to the ability of the adversary, Af ln d and _4 gU ess can be assisted by an Decryption 
Oracle DO that returns the plaintext for a decryption query other than the target 
ciphertext. Note that according to the adversary’s ability, sometimes DO is 
unavailable, (this can be equivalently denoted by DO outputting an empty string 
e). In our analysis, it is sufficient to consider the case where DO is available. We 
denote this as: 

d Lr (P k ’ sk ) Enc-Gen(l fc ),(M 0 ,Mi,a) ^Af^ipk),] 1 

[~ b b£{ 0, 1}, C b *- Enc (M b ),b <- A™g°(C b , a) \ ~ 2 + " 6g( 

If no such PPT adversary exists against £, then we call £ IND-CCA secure. 

2.3 Previous Definitions on AONT 

Definition from [6] In fact, in [6], several definitions are presented based on se- 
mantic security and indistinguishability [12], against adaptive and non-adaptive 
attacks. From the quantitive results given in [6] , we notice that the upper bounds 
of sematic security and indistinguishability against adaptive attacks are essen- 
tially the same. It is sufficient to only consider the indistinguislrability-based 
security definition. 

Definition 1. AONT is a randomized transform T(x) : {0, 1}” —> {0,1}”, 
which is efficiently computable, with all bits of the output, there is an inverse 
function I, which can uniquely recover x: I(T(x)) = x. Suppose an adversary 
runs the experiment in the following stages: 

1. Select; The adversary is given l and access to T. It selects l bit positions and 
outputs labels of positions L G {” } and side-information c s G {0, 1}*. 

2. Find; The adversary is given c s and access to T. It outputs xq G {0,1}”, 
X\ G {0, 1}” and side-information Cf G {0, 1}*. 

3. Guess; The adversary is given Cf and for random bit b, AONT r (:rb) with bit 
positions L missing. The adversary has access to T and tries to guess b. 

Let AONT be a randomized transform mapping n-bit messages to n' -bit out- 
puts and using random oracle T. Let l between 1 and n! . An adversary A is said 
to succeed in (T,qp,e) -adaptively-distinguishing AONT with l missing bits if 

Pr ^ ^ Cs ) "^select (0> c f) 't - " / ^find( c s), ^ i . 

b <— {0, 1}, y AONT r (a;b), b Ag uess (h n ' t L(y), c/)] 

and moreover, in the experiment above, A runs at most T steps and makes 
at most qr queries to T. Then the AONT is secure if no probabilistic polynomial 
time adversary exists. 

Furthermore, it is proved that OAEP [5] is a secure implementation of AONT 
in the above sense in the random oracle model. 
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Definition from [7] We can see this definition is significantly the same as the 
Definition 1, except that the latter can only be defined in the random oracle 
model. Definition 2 indicates more general case. In addition, [7] also divides 
the output y of an AONT into two sections: one is called the piiblic part. 2 / 2 , 
which does not need protection, that is, it can be revealed to the adversary. The 
other section is called secret part y\, which needs some protection. The security 
guarantee is: as long as l bits of the secret output y\ remain hidden, while all 
the bit of 2/2 can be revealed, the adversary should have no information about 
the message. 

Definition 2. A randomized polynomial time computable function T(x) : {0, l} fc 
-A {0,1}"' is l-AONT if 

1. T is efficiently invertible, i.e., there is a polynomial time machine I such 
that for any x £ {0, l} fc and any y £ T(x), we have I(y) = x. 

2. For any label L £ {" } and any Xq,X\ £ {0, l} k chosen by the adversary 
adaptively, we have 

(xo,xi, [T(x 0 )] l ) » {x 0l xi, [T(xi)]l) 

The construction of [7] makes use of exposure-resilient, functions (ERF). In- 
formally, an Z-ERF is a special type of pseudorandom generator whose output 
remains computationally indistinguishable from a random sequence as long as l 
bits of its seed remain hidden. Refer [7] for formal definition and construction of 
ERF. A construction satisfying above Definition 2 was proposed and has been 
proved secure (theorem 5.1 of [7]). 



3 AONT Enhances Data Privacy? 

As we know, since an AONT contains no secret information itself, and it does 
no encryption, when integrated in a cryptosystem, the security of the whole 
system rather than AONT itself should be considered. Above two definitions 
[6,7] have considered AONT against adaptive attacks, however, the security of 
other component of the cryptosystem, especially the security of the encryption 
component is never confronted with. 

Actually, definitions given in [6,7] are sufficient for a chosen plaintext attack 
(CPA). A simple reasoning is listed here: if the attacker can break the security 
of the cryptosystem then it can be used as a subroutine, to break either the 
indistinguislrability of the AONT or the encryption component. A similar ar- 
gument in proving the CPA security of a generic construction for key-insulated 
cryptosystem can be found in [9], yet in a different context. 

However, the same argument is not applicable in discussing the CCA security 
of the cryptosystem. Problems may occur when an AONT meeting security def- 
initions of [6,7] works with a malleable encryption scheme. Here we demonstrate 
two examples. 
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3.1 Example 1 

The first example is an attack on OAEP, which was first exhibited by Shoup [19] 
in disproving the original secure result of OAEP. OAEP can be described as fol- 
lows: two hash functions G, H are considered as random functions, a message m 
is masked by: s = m © G(r), t = r® H(s). Then the ciphertext is c = p p k(s, t), 
where ip is oneway trapdoor function defined by pk and sk. For decryption, one 
computes 

(s,t) = ip s k(s,t), r = t®H(s), m = s®G(r). 

Suppose there exists XOR-malleable / (refer [19] for precise definition), which 
is oneway trapdoor function with following properties: Given ip p k( x) = ( s , f(t)), 
one can efficiently compute f(x® Ax), where Ax is any binary string with the 
same length as x. 

For any challenge ciphertext Cb = (s, /(f)) given by the encryption oracle in 
the IND-CCA game, the adversary can choose any random string Ax and compute 
s' = s© Ax and /(/') = f(t® H(s) ® H(s')), which yields a new ciphertext d . If 
the adversary queries d at the Decryption Oracle, which will returns mb© Ax, 
and the adversary can easily recover nib and guess b correctly. The reason why 
this attack works is that the adversary can make the ciphertext malleable. 

From above description, one can see that if OAEP is used as AONT in a 
cryptosystem, and the encryption component (encrypting t or part of t) happens 
to be XOR-malleable, the whole system is not IND-CCA secure. 

3.2 Example 2 

The second example is more straightforward. The following construction is given 
in [7]: Let / : {0,1}" {0,1}"' be computational /-ERF. Define T : {0, l} fe — > 

{0, 1}" x {0, l} fe (with n random bits r) as follows: T(x; r) = (r, f(r) © x). Then 
T is /-AONT with secret part r and public part f(r) © x. 

For this one-time pad like construction, with the same seed r as the secret 
part and f(r)®x as the public part (without any encryption), one can compute 
f(r) © x® Ax, where Ax is any binary string. The resulting ciphertext becomes 
E(r) (secret part under encryption) and f(r) © X© Ax (public part to transmit 
in plaintext). Again, it is easily seen that the whole cryptosystem is not IND-CCA 
secure, either. 



4 New Definition Regarding AONT 

We have manifested that under present definition of AONT, it is not sufficient 
to guarantee CCA security of the whole cryptosystem. However, the fact that 
there are no obvious attacks to the security of previous constructions of AONT 
seems to contradict above counterexamples. We figure that AONT was origi- 
nally proposed for block cipher, and in the theoretical analysis block cipher is 
usually modeled as random permutation. One may think that a random permu- 
tation is somehow a transform with authentication, at least in a weak sense. For 
block cipher, informally speaking chosen ciphertext attack is almost the same 
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as chosen plaintext attack, for the random permutation will leave the cipher- 
text non-malleable. On the other hand, for a public key cryptosystem, chosen 
ciphertext attack is more powerful attack. In a cryptosystem with AONT, when- 
ever the encryption component is malleable, the security of the whole system, 
regardless of that of AONT, may be insecure. 

Then two natural questions arise that how should one consider the security 
of AONT and how should it be implemented in designing a secure cryptosystem? 
We proceed to solve these problems. 

4.1 Public Key Encryption Schemes with AONT 

Before we can formalize our solutions, we would like to give a new syntax on 
public key encryption scheme with AONT, which leads to better model practice. 



Definition 3. A public key encryption scheme with AONT as a component is 
an encryption scheme with following algorithms: (K, S, E,Com, D) , where: 

— K is the key generation algorithm, necessarily to be randomized. It calls the 
key generation algorithm of a public key encryption scheme Gen-Enc(l fe ), 
where k is the security parameter, and outputs a pair ( pk , sk) of keys defining 
a oneway trapdoor permutation. It also pick an AONT= ( T,I ), where T 
is a randomized transform algorithm, taking a message m, with internal 
randomness r, outputs y = T(m) as the output; I is the deterministic inverse 
algorithm, takes a binary string y, and return fh = I(y). 

— S is the deterministic plaintext split algorithm, taking y = T(m) as input, 
returning two section y± and 2/2, called secret part and public part respectively. 

— E may be a probabilistic algorithm, calls the encryption algorithm Enc of a 
normal public key encryption with (y\,pk) as input, outputs the ciphertext 
Ci that returns by Enc. 

— Com is a deterministic combine algorithm, output C = (01,2/2) as the final 
ciphertext. 

— D is the deterministic decryption algorithm. It first takes C as input, splits 
it into two parts: (ci and yf), then calls Dec of the piMic key encryption 
with ( C\,sk ) as input, and gets xj\, otherwise A. if “invalid” and terminates 
right away. It then returns fh = /(i/1,2/2 ) as plaintext and terminates. 



4.2 Extended-Indistinguishability 

We solve the first question by giving a new definition, called extended-indistin 
guishability, on AONT, where besides what the adversary can get in previous 
model, some additional side-information is given to it. The justification lies in 
that, the adversary not only has the resources he could in the previous game, e.g., 
Definition 1 , additionally, it also has access to ci, the output of the encryption 
component. The adversary then plays the a modified game with oracle queries. 
The adversary wins if it can distinguish the input of the AONT, which also turns 
out to be the plaintext of the whole system. Note that the side-information may 
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be useless for the adversary, for instance, in the case that the cryptosystem is 
IND-CCA secure. 

We are now ready to give the new definition. Suppose an probabilistic poly- 
nomial time adversary A attacking a cryptosystem with AONT is engaged in 
the following game: 

Definition 4. At the beginning the key generation K algorithm is run, ( pk , sk) 
are generated. The adversary schedules the attack in two phase find and guess, 
where it has decryption oracle access for polynomial times. At the end of find 
phase, the adversary outputs a pair of messages and writes some internal infor- 
mation s to its tape. An encryption oracle randomly chooses a bit b and generates 
the challenge ciphertext Cb- At the end of guess phase, the adversary outputs its 
guess on b. The adversary cannot query Cb on decryption oracle and an AONT 
has extended-indistinguislrability if the adversary’s advantage of correctly guess- 
ing b is negligible than random guess. 



■ 


(pk, sk) <- K, (to 0 , mi, s) <- Af^ (pk),' 


b = b 


b £ {0, 1 },y b «- T(m b ), 




(yib,y 2 b) <- S(y b ),c u «- E(y lb ), 


_ 


C b <- Com(c\ b , 2 / 26 ),b <- Af° ss (C b , s) _ 



< 1/2 + neg(k) 



Theorem 1 . Suppose a cryptosystem is integrated by an extended-indistinguish- 
able AONT with an encryption component that is at least oneway, then the 
resulting cryptosystem is IND-CCA secure. 

Proof. From definition, obvious. □ 

4.3 Relations among Definitions for AONT 

We briefly discuss how the new definition relates to previous definitions. Since 
Definition 2 completely catches the essence of Definition 1, we focus on the 
relation between Definition 2 and Definition 4. As we have mentioned, when 
AONT is combined with an IND-CCA component, there is no gap between these 
two definitions for an static adversary. We give a more detailed discussion here. 

Suppose (T, I) is a secure AONT in the sense of Definition 2, we want to 
show for secret part y\ protected by an IND-CCA secure encryption component, 
T is also secure in the sense of extended-indistinguislrability. Actually, if this 
AONT is not extended-indistinguishable, an adversary B attacking this AONT 
in the sense of Definition 2 can simply be constructed as follows: 

Suppose A is an adversary breaks extended-indistinguishability of the AONT. 
When A as for decryption queries, B can simply choose random ci, together with 
public part z /2 complete the input message to. Since the encryption component is 
IND-CCA secure, which implies that for any ci, y\ is independent with ci, which 
implies B simulation is perfect. Then in the end of the game, B outputs whatever 
bit b A outputs, thus gets the same advantage as A. On the other hand, AONT 
with extended-indistinguishability is also secure under Definition 2 with similar 
discussion. 
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Remark 1. Similar analysis applies to the case of block cipher. Above analysis 
explains the correctness of practical schemes built on AONTs secure in the sense 
of previous definitions. 



5 Secure Constructions 

Present public key encryption primitives can be divided into two categories: 
the deterministic ones and the probabilistic ones. However, different treatments 
should be performed on these primitives respectively, because probabilistic en- 
cryption primitive requires additional randomness. If this randomness is not 
carefully controlled, or more exactly, if the encryption component is malleable 
regarding the underlying AONT, then an adversary can still create a malleable 
ciphertext, thus the cryptosystem is not IND-CCA secure. We give two con- 
structions according to the types of primitives: the first is based on random 
permutation and suitable for deterministic encryption component. The second 
is based on random oracle and suitable for probabilistic encryption component. 
We remark that for the latter, generic construction based on non-interactive 
zero-knowledge proof is also capable, however, to make the ciphertext compact 
and computationally efficient, we adopt the random oracle. 



5.1 Construction 1 

The first is a Full-Domain Permutation based construction. We note the permu- 
tation is public random permutation and not oneway. 

Description. Intuitively, one can think the random permutation as a bijective 
random oracle. A random permutation family is a family of permutations, tt : 
Keys{ 7r) x Domfir) — > Rang (7r), where Domfir) and Rang(ir) denotes the input 
domain space and output range space of n. Fixing each key k, Pk : {0, 1}" — > 
{0, 1}" is a bijective mapping over the same space. By random permutation, in 
fact, we mean there doesn’t not exist two keys ky and & 2 , such that P kl is the 
same as P k2 - Thus a random permutation family of domain {0, l} n has the key 
size 2". Since the permutation is public, given Pfc(m) and k, one can easily and 
uniquely recover 

to = P^(P k {m)). 

The construction is very simple: for a random permutation over space {0, 1}™, 
where n is the size of message space, pick key k r , and compute Pk r (m), then 
(k r . P kr (to)) is an AONT with secret part k r and public part Pfc r (m). 1 The 
following theorem guarantees the security of this construction: 

Theorem 2. An AONT from Construction 1 is extended-indistinguishable. 

1 In fact choice of places of bits to encrypt can be flexible, if sufficiently many bits are 
protected. 
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Proof Idea. The goal of the proof is to simulate the oracles P and P _1 , 
such that the adversary cannot distinguish this from the real oracles. In the 
simulation. If a new query is encountered, for P is a random permutation, we 
have to reply with a new random value in order to keep the simulation consistent. 
On simulation of decryption oracle queries, if the pre-image of the encryption 
component is asked, there will be a small error probability. However, we prove 
this is negligible, and the simulation is almost perfect. On the other hand, the 
challenge of mb from the pair (mo, mi) is independent of the simulation, thus 
the adversary has no advantage. If there exist such an adversary breaks the 
extended-indistinguishability, then we can construct an adversary breaks the 
onewayness of the encryption component. 

Proof. Assume there exists an adversary A that breaks the extended-indistin 
guishability of above construction. We can then construct an adversary B that 
breaks the onewayness of the encryption component denoted as ip. Namely, on 
input c* = <p p k(r*), B outputs r*. 

Construction of B. The key generation algorithm is run, generating (pk, sk). 
B maintains an ordered P-list of 4 data-entry (to, r, p, c) as follows: 

On P query on to £ {0, 1}" from A for P, B chooses r 4— {0, 1}™, replies p = 
P r (m), computes the corresponding ciphertext p p k(r) and stores (to, r,p, p p k(r)) 

in P-list. On P _1 query on p £ {0,1}”, B chooses r -H- {0,1}”, replies m = 
P _1 (p), and stores m.,r,p,ip p k(r) in the P-list. 

On decryption query on C = (p,c), B searches in P-list whether there exists 
entry with (p, c). If there exists such entry, answers with in and quits. If there is 

no such entry, replies to ■£- {0, 1}”, computes r = P^ 1 (p) and writes (m,r,p, c) 
to P-list. 

On encryption oracle query with chosen messages (too,TOi) by A , B chooses 
random p*. Instead of giving correct challenge to A, B takes his challenge c* = 
<Ppfc( TO *)> replies the challenge Cb = (p*,c*). 

When A terminates and outputs a guess b , B then searches in the P-list and if 
there is an entry (m,r,p,c) with c = c*, then it outputs to* = to as the pre-image 
of c* = <p p k(ni*). If A does not terminate in polynomial time or it encounters an 
error, B aborts the simulation and chooses random to from the list as output. 
Define some probability events as: 

— PBad: B answers one P or P _1 query incorrectly. 

— DBad: B answers one decryption query incorrectly. 

Suppose the A issues Qp direct P-oracle and P _1 -oracle queries and Qp> 
decryption queries respectively. Since P is a random permeation, then when a 
new entry is added to the list, it fails when there is already one entry with the 
same r, c in the list. Then this time, the simulation aborts. This implies the 
probability of failing to simulate of P or P _1 queries are: 

Pr[PBad] < Q P ■ 2~ n 

For |r| = n , the only exception on decryption query is when the corresponding 
ciphertext is C = (p, tp p k(r*)), that is, A is asking on tp p k(r*) and gets a wrong 
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reply from B , for r* is unknown to the simulator because of onewayness of 
encryption component <p(r*). This time we have: 

PrfDBad] < (Q P + Q D ) 2 ■ 2~ n 

Since there is Qp + Qd elements on the P-list , the fail probability of simu- 
lation of adversary B denoted as Pr[BadB] is given as: 

Pr[BadB] = Pr[DBad V PBad] < Pr[DBad] +Pr[PBad] (1) 

Define advantage of A as £\ and B as e, which is non-negligible, since the 
challenge is completely independent of (mo, mi), since C is independent from 
mo and mi, the success probability of A should be exactly 1/2. 

Pr[SucA A ^BadB] = 1/2 (2) 

On the other hand, we have 

Pr[BadB] > Pr[SucA A BadB] > Pr[SucA] — 1/2 = E\ (3) 

For failed simulation, if there is an entry (m, r,p 1 c*) in the list there will 
appear a collision. In this case, the simulation fails but B can know it has already 
inverted ip p k(r). Now from (1,2,3), we have: 

e > Pr[SucA A BadB] — Pr[PBad] — Pr[PBad] 

> ei - Qp ■ 2~ n - (Q P + Q d ) 2 • 2“" 

This implies B successfully inverts ip p k with non-negligible probability and 
the execution time of B is within polynomial time. Proof completes. □ 

5.2 Construction 2 

Description. For probabilistic public key encryption primitive, we would like 
to propose another construction based on random oracles. The second construc- 
tion works as follows: G, H, H' are three hash functions treated as random ora- 
cles. For a message m, and randomness r, let the transform be 

s = G(r) ® x, t = H(s)®r 

which takes y = s||f as output. Additionally, compute H'(r,m) as the ran- 
domness used in for the probabilistic encryption component ifj. We note that 
only a part of y needs to be encrypted. Suppose the split algorithm works as: 
V = 2/i 1 1 2/2, we require y\ « s and 2~ Vl is negligible. Then the probabilistic en- 
cryption component ip takes yi as input, using randomness H'(r,m), producing 
partial ciphertext ci = ip p k(y i)- 

In decryption phase, after recovering yi, one can divide y as (s,t). Set f = 
H(s) ® t and compute m = s ® G(r). Check whether the ciphertext is formed 
correctly by computing H'(r,fh) and encrypt y± again. If this test is passed, 
output m as plaintext, otherwise “_L”, 

Theorem 3. An AONT from Construction 2 is extended-indistinguishable. 
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Proof Idea. The idea lies in that, because of the checksum H'(r,m ) can be 
reconstructed, with re-encryption, most of the invalid decryption queries will be 
rejected. Thus an adversary can simulate the decryption oracle almost perfect. 
All correct decryption queries are “plaintext aware”, in other words, the adver- 
sary gains no help from the decryption oracle. On the other hand, the adversary 
should simulate the random oracle queries. This is achieved by letting the ad- 
versary maintain three lists. We try to prove that the simulated oracles are in 
fact indistinguishable from real oracles. 

Proof. From assumptions, if there exists an adversary A breaks the extended- 
indistinguishability of the AONT, another adversary B can be built as follows: 

The key generation algorithm is run, generating ( pk,sk ). B maintains three 
lists, named G-list, FZ-list and FT-list respectively. On each random oracle query 
on a, B flips coins and selects random number as output b £ {0, 1}*. Here {0, 1} 
should be understood as proper length according to different contexts. B then 
write the pair (a, b) to corresponding list. We also denote the data entries in 
each list as: g,G(g), h,H(h) and h',H'(h') respectively. 

On answering decryption queries ci, B first searches for the pair G-list and 
H- list, and finds pairs g,G(g) and h,H(h), such that s\\t = h\\g(B H(h). It then 
sets r = g and m = h © G(r). If there is an entry in AA'-list such that h! = r\\m, 
it splits s||£ as 3 /i||j/ 2) and encrypts y\ with the public key pk to get Ci = ip P k( 2/i) 
with H'(h') as randomness for ip p i-. Otherwise, it outputs “_L”. Denote the bit 
length of y\ as Aq . length of h as Aq and length of g as A’3. 

When A queries the encryption oracle with two chosen messages (mo, mi), B 
converts the message into two sub-ciphertexts (2/10,2/11) with the same random r 
as its chosen message and outputs to its encryption oracle. When the challenge 
Cib is returned by its encryption oracle, B selects random 2/2 and completes the 
challenge to A as (cib, 2/2) - We can see that since 2/2 is selected independent of 
(mo, mi), in fact A has no advantage in the game. 

Obviously, the simulation random oracle query is perfect except that A issues 
a decryption query containing the real challenge Cu or a random oracle query 
contains the real mb- For this time, B cannot distinguish which one is the case. 

Denote some events as: 

— AskG: g is asked to G before h is asked to H . 

— AskH: h is asked to H before g is asked to G. 

— AskH': h! is asked to H' before AskG and AskH happen. 

— Sue A: A succeeds in guessing b. 

— DBad: B fails to answer decryption query. 

Suppose A issues Qg and Qh for G-oracle and FA-oracle queries respectively. 
Also A issues Qd decryption oracle queries. We can count the probability of 
simulation failure as follows. 



Pr[SucA] < Pr[AskG V AskH V DBad] + 1/2 
Pr[AskG V AskH V AskH' V DBad] > Pr[SucA] — 1/2 = eq 



(4) 

(5) 
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For random oracle queries, by definition, PrfAskG A AskH] = 0 

Pr[AskG V AskH] = Pr[AskG] + PrfAskH] 

For G queries, the probability of one G query “happens” to be the real 
challenge is 2~ ks and for H to be 2 _fc2 , accordingly. Then for total Qg queries 
and Qh queries. We have: 

Pr[AskG] > 1 - (1 - 2~ k3 ) QG = Q G ■ 2~ ks 
Pr[AskH] > 1 - (1 - 2~ k2 ) QH = Q H • 2~ k2 

It is time to count the decryption oracle query. In above construction, we can 
see easily that similar analysis applies to failure of decryption query. Since most 
of the invalid queries will be rejected. We omit the details here. The probability 
of rejected a correctly formed ciphertext is: 

Pr[-iDBad] > 1 - (1 - 2~ kl ) Qo = Q D ■ 2~ kl 

Then from Equation 5, 

PrfAskG V AskH V AskH' V DBad] = Pr[AskG V AskH V AskH'] 

— Pr[AskG V AskH V AskH' A ^DBad] 

= Pr[AskH] - (Pr[AskG] +Pr[AskH] - Pr[-.DBad]) 
< PrfAskH] — (Qg • 2~ ka + Qh • 2~ k2 ) (6) 

When AskH happens, B must have known cu, thus breaks the indistinguishability 
of ip p k- So we have 

e > PrfAskH] > £l + Q H ■ 2~ k2 + Q G • 2 ~ k 3 

It is obvious that B works within polynomial time and wins the game with non- 
negligible advantage. This completes the proof. □ 

6 Conclusion 

A “secure” AONT of previous definitions may not yield CCA secure cryptosys- 
tem. Our new definition on AONT abstracts the essential nature of AONT 
when used in a practical cryptosystem. Moreover, we give concrete constructions 
of extended-indistinguishable AONT according to different types of encryption 
primitive. We remark that this justifying is important in designing real life sys- 
tem. 
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Abstract. The growing security awareness among business users of net- 
works based on Internet Protocol has emerged a need to control the secu- 
rity policies of the network nodes. The nodes can be distributed all over 
the Internet. The node configuration that is used to enforce the security 
policy is typically set by hand which is time consuming and error prone. 
Thus there is a need for centralized management system of the security 
policies of the nodes. 

In this paper we suggest that the roles of network and security 
administrators should be separated. We have designed a system for 
centralized security policy management and made a prototype im- 
plementation of it. With our system we can control security policies 
of the nodes securely and remotely from a centralized management node. 

Keywords: Virtual Security Zones, Security Policy Management 



1 Introduction 

According to Computer Emergency Response Team (CERT) Coordination Cen- 
ter the most common cause for firewall security breaches is misconfigurations [7] 
and the configuration for the firewall is put in place by the firewall’s adminis- 
trator. Separating the roles of network and security administration would make 
the situation much simpler as the network administrators no more needed to be 
aware of security requirements and vice versa. 

One of the biggest threats for an enterprise becomes from within the com- 
pany. Insider attacks are far more common than believed, because companies 
try to avoid the bad publicity that could follow if the incidents were reported. 
According to year 2003 CSI/FBI Computer Crime and Security Survey [9] eighty 
percent of survey respondents had detected insiders abusing the company’s net- 
work access. By enforcing strong security policies for the hosts in the company’s 
network lowers the possibility for this kind of abuse, along with preventing the 
flow of highly sensitive data out of the network. 



M. Jakobsson, M. Yung, J. Zhou (Eds.): ACNS 2004, LNCS 3089, pp. 91-102, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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In order to reach this higher level of protection some additional mechanisms 
are needed to existing networks. In this study we will identify the enabling tech- 
nologies and the components that are needed to control security policies of nodes 
in a public Internet. We will also present a method to separate security manage- 
ment from general system management and divide network into several virtual 
zones. We have implemented these methods and present the implementation. 

2 Security Policy Enforcement 

Security policy enforcement is the deployment strategy to put the security policy 
defined by the security administrator in action. The point where the policy 
decisions are made is called a Policy Decision Point (PDP) [19]. The actual 
enforcement point is called a Policy Enforcement Point (PEP) [19]. 

Security policy enforcement can be done either in the end-point or in the 
network. In the end-point based approach the node itself acts as a PEP or there 
is a dedicated PEP device in place. A good example of the end-point based 
approach is the distribibuted firewall concept. Another possibility for policy 
enforcement is to use the network based approach. In this approach there exists 
a certain node in the network that the end-point needs to contact before being 
able to contact the desired host. In other words the PEP resides at the end-point, 
while the PDP is somewhere in the network. 

We noticed that policy enforcement approaches can be divided by using two 
parameters - is the approach dependent on the network topology and does the 
approach use strong authentication. With strong authentication we mean that 
the hosts trust each other explicitly. Trust relationship can be established for 
example by using PKI or web of trust. In weak authentication hosts base their 
trust directly to other host’s identifier that may be for example an IP address or 
a host name. Based on this categorization we have identified one approach that 
fits into every class. Our results are presented in Table 1. 



Table 1 . Approaches to policy enforcement 





Weak authentication 


Strong authentication 


Topology dependent 


Conventional firewall 


Security clearance server 
with firewall 


Topology independent 


Host identity 
protocol 


Distributed firewall 



3 Existing Administration Tools and Current Technology 

The SNMPv3 provides authorization, authentication and confidentiality protec- 
tion [17], thus being the recommended version for all network management ap- 
plications. The data items for different devices are specified in the Management 
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Information Base (MIB) specifications. MacFaden et al. discuss the configuration 
of networks using the SNMP protocol in [14]. This document represents the best 
practices for designing MIB modules, implementation of SNMP configuration 
agents, and discusses deployment and security issues as well. 

Extensible Markup Language (XML) [18] is a language for describing flex- 
ible common information formats and the related data. XML may be used to 
present almost anything, including also security policies. The DAXFi project 
[1] has devised a dynamic XML firewall that uses XML to specify the firewall 
security policy. By using XML, the security policies can be defined in a vendor 
independent manner, and then later translated to vendor specific commands. We 
see this approach as one of the best solutions for describing security policies in 
multivendor environments. 

An interesting approach to firewall policy definition is presented by Bartal 
et al. in their paper about Firmato a novel firewall management toolkit [3]. The 
Firmato constitutes of a Model Definition Language (MDL), Entity-Relationship 
(E/R) model, a model compiler and a visualization component. The basic con- 
cept in Firmato is a role. Roles define the capabilities of initiating and accepting 
services. We think that the abstraction layer that the Firmato brings into fire- 
wall rule definition is a huge step forward in firewall management. The security 
administrator is no more obliged to do the tedious configuration work using low 
level configuration files, but instead use a modelling language. 

Conventional firewalls depend on the topology of the network. If a host is 
moved beyond the firewall perimeter the policy enforcement does not apply 
anymore. The PEP and PDP both reside in the firewall and the policy decisions 
are based on preconfigured filter lists. 

In order to have a topology independent approach that uses strong authen- 
tication an approach like distributed firewall may be applied. In distributed 
firewall the PEP is located at the host, while the PDP may be located at the 
same place or somewhere else in the network. The concept of distributed firewall 
was first introduced by Steven M. Bellovin in his paper Distributed Firewalls 

[4]- 

Host Identity Protocol (HIP) [15] is an attempt to break the binding between 
the host’s identity and its location. This is achieved by introducing a new cryp- 
tographic name space and protocol layer between the transport and network 
layers. In HIP each end-point has a distinguishing Host Identifier (HI). In order 
to communicate between a pair of end-points the initiating end-point must learn 
one of the IP addresses the other end-point is associated to. This is achieved 
using an address resolution service. 

KeyNote [6] [5] is a trust management system that provides a language with 
the same name for defining policy rules conveniently. The purpose of trust- 
management system is to provide a standard mechanism for specifying applica- 
tion security policies and credentials. [6] 

In our opinion the concept of a trust-management system is quite easily ap- 
plicable to networking, too. An important point is that the trust management 
should be done on stream not on packet basis. On packet basis this would con- 
sume too much processing time. However, every stream passing a compliance 
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checker once would be no problem. Hedbom et al. noticed that the security of a 
firewall or Intrusion Detection System (IDS) itself is very important [12]. 

Virtual Private Network (VPN) is a very widely and wildly used concept. 
It is used in several different contexts to mean different things. In this paper 
we will understand the VPN as a way to transfer private data traffic using a 
public network without exposing it to public. VPNs provide a more cost effec- 
tive way to provide private networking for multi-site communication than tra- 
ditional approaches such as leased lines. Tunneling is one of the principles used 
in VPN networks to carry traffic over the IP backbone network. [10] Tunneling 
is especially useful when the payload traffic have no relation to underlying IP 
addressing. This is the case when the payload traffic is multiprotocol or private 
IP addressing [16] is in use. 

4 Virtual Security Zones 

4.1 Design 

The general level architecture for the system is depicted in the Figure 1. The 
central component of the system is the security policy server, which is the server 
hosting the software component for managing the virtual security zones. In close 
connection to the security policy server work the directory servers, which are 
used as distribution points for security policy definition files. In addition to 
these, a certificate authority is used for assigning certificates for the security 
policy server and managed nodes. These certificates act as digital identities of 
their owners. PKI was chosen for the trust establishment system as it provides 
the best scalability and availability. 

We have also a natural hierarchy in our system as every node needs to trust 
the central point - the security policy server. Mutual authentication between 
the security policy server and the managed nodes is achieved using CA assigned 
certificates. In the managed node, a small program is needed to fetch the security 
policy definition files from one of the directory servers, and interpret the acquired 
file into executable commands. 

Local administrator is the person responsible for local administrative tasks on 
the node. These tasks include hardware and software installation and configura- 
tion of the node. The local administrator also initiates the certificate enrollment 
for acquiring the certificate for the node. Network administrator is the person 
responsible for configuring the general network infrastructure. He will assign the 
IP addresses that the nodes will use either manually or automatically using the 
DHCP protocol. If the node is supposed to be part of a virtual security zone, the 
network administrator will pass the information about the node to the security 
policy server. 

Security administrator is the person responsible for setting up the security 
zones. He is also responsible for administration of the network administrators’ 
access rights to the central management node. Security administrator trusts that 
the certificates assigned by the certificate authority are valid. 

Certificate Authority is the entity who assigns the digital certificates for 
security policy server and managed nodes. It will act as a trusted third party 
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between the security policy server and the nodes. In the case that security policy 
server and the managed nodes are below different PKIs a cross certification 
process [2] is needed to establish the trust between the two PKIs. 

Security Policy Manager (SPM) is the software component for the central- 
ized management of the security policies in the security zones. The component 
is located in the security policy server. It will assemble the security policy con- 
figuration files for managed nodes and delegate the distribution of these files to 
the directory servers. 




Fig. 1. General architecture for the system 



Security Policy Agent (SPA) is the software component installed in the man- 
aged nodes for retrieving and processing the configuration information written 
by the SPM. The SPA together with firewall and VPN software acts as a software 
based policy enforcement point (PEP). 

Directory Servers act as distribution points for security policy configuration 
files. Managed nodes will contact one of the directory servers to acquire their 
own configuration. 

Managed nodes form security zones according to security policies defined by 
the security policy administrator. Managed nodes listen for policy updates from 
security policy server and fetch their configuration files from directory servers. 



4.2 Policy Transfer 

The policy decision can be made either in the central management node or at 
the managed PEP. However, the former approach is unreasonable in our case. 
Because the policy decisions are made per packet basis, the traffic towards the 
central management node would become outrageously high. We therefore chose 
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to combine the PDP with the PEP. This way the security policy information 
needs to be transferred to the managed node only during system startup and 
when the security policy is changed. 

Based on the literature study we examined the different possibilities for trans- 
ferring the policy from central management node to the PEP. The most promis- 
ing methods we identified were using SNMP for policy transfer, or using XML or 
configuration commands to describe the policy, and other means to transfer it. 
We wanted to make the presentation of the policy independent from the transfer 
process, which then left us with the last two choices. If the policy is mapped 
to low level commands already at the SPM, the SPM needs to exactly know 
the target environment. However, often this information is not easily available 
or it would require extra work from one of the administrators to figure it out. 
Therefore we chose to use the XML language as the high level policy description 
language, which is used in the policy transfer. The XML based message is then 
mapped to environment specific low level configuration commands at the PEP 
in the managed node. 

The Document Type Definition (DTD) for the XML file used for policy 
transfer is depicted in Figure 2. The root element, the policy, can have any 
number of ipsec groups (ipsec group) in it. The ipsec groups consists of a pre- 
slrared key (psk) and any number of end-points (end point). End-points always 
have an IP address (remote ip) and they may have a tunneling configuration 
(tunnel). If a tunneling configuration is present the tunnel element will include 
the virtual IP address of the remote node (remote vip) and a corresponding 
virtual IP address for the local node (own vip). The tunneling can be used to 
create an extra logical layer on top of the public IP network. 

We used a similar process to that used in PGP [62] to sign and encrypt the 
configuration information. Data is first compressed to enhance the resistance 
against cryptanalysis [21]. 

To be able to notify the managed node about a change in the security policy 
two mechanisms can be used - server push or client pull. In our system the con- 
figuration changes do not occur often, therefore the server push is the preferred 
method, as it creates less network traffic compared to client pull. However, the 
server push generates a heavy load on the security policy server if the number of 
clients in the security zone is high. Therefore we chose to use a slightly modified 
server push approach. 



<?xml version—’ 1.0” encoding=”utf-8”?> 

<!— DTD forsecurity policy presentation — > 
<!ELEMENT policy(ipsec_group*)> 
<!ELEMENT ipsec_group(psk, end_point*)> 
<! ELEMENT psk(#PCDATA)> 

<!ELEMENT end_point(remote_ip, tunnel?)> 
<!ELEMENT remote_ip(#PCDATA)> 
<!ELEMENT tunnel(remote_vip, own_vip)> 
<!ELEMENT remote_vip(#PCDATA)> 
<!ELEMENT own_vip(#PCDATA)> 



Fig. 2. The DTD for policy presentation 
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When the security policy is changed the server sends a short notification 
message to the client. This will initiate the client side update process. The lis- 
tening daemon process in the managed node - the SPA - wakes up and starts 
the configuration process for the node. 



4.3 Security Policy Manager 



Security Policy Manager (SPM) is the software component that is used for man- 
aging the security policies of the distributed managed nodes. The SPM process 
is hosted by the security policy server. We will next formulate the requirements 
for the SPM in the form of use cases. 

The primary actors using services of the system are administrators and nodes. 
The administrator actor is extended with two special types of administrator 
network administrator and security administrator. Every administrator needs to 
login into the system before being able to do any other type of action. 

The network administrator has a use case for inserting node into system 
and for removing node from the system. Using these two functions the Network 
administrator can join and remove nodes from the group of managed nodes. 

The security administrator has use cases for creating, modifying and delet- 
ing security zones. The create zone allows security administrator to define new 
security zone and its parameters. The parameters include the name of the zone, 
the shared secret the nodes in the zone will use for mutual authentication, and 
optionally the private address space to be used in the zone. The modify zone is 
used for adding or removing nodes from an existing security zone, and the delete 
zone removes the whole security zone. All these three use cases use the notify 
node use case for notifying managed nodes about configuration changes. 

Only one use case was defined for managed node actor. This is called get 
configuration. It allows the managed node to retrieve its configuration informa- 
tion from the SPM. The storage of configuration files need not be at the same 
server the SPM is located, but the task can be delegated for directory servers as 
we depicted earlier in the system architecture. 

When considering a node inside a security zone, certain information about 
these entities need to be maintained. We begin by modeling the node. The man- 
aged node has a name that is used by the network and security administrators to 
identify it. It has also an unique IP-address that can be used for distinguishing 
the nodes from each other. The node can also be a member of any number of 
security zones. A security zone has a distinguished name that is used for identi- 
fying it. In addition, a shared secret that the nodes use for identifying members 
of the zone is required. Optionally the nodes may communicate using private 
address space instead of the public IP addresses. Therefore also the private ad- 
dress space, or virtual address space as we call it, is stored in the database. The 
security zone can have any number of nodes in it. 
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4.4 Security Policy Agent 

Security Policy Agent is the software component located in the managed nodes. 
It is responsible for retrieving configuration files from SPM and putting the 
received security policy in action. 

The configuration update of the client consists of the following phases: (1) 
Node downloads the compressed and encrypted configuration file, content en- 
cryption key and signature of the configuration file from one of the directory 
servers. (2) Node decrypts the content encryption key with its private key. (3) 
Node decrypts the configuration file with the content encryption key. (4) Node 
verifies the signature of the decrypted configuration file. (5) Node decompresses 
the configuration file. (6) Node maps the XML based policy contained in the 
configuration file to environment specific commands. (7) Node executes the com- 
mands. 

After executing all the aforementioned steps the node will be running with 
the new configuration. If there is a problem in any step, the configuration update 
will fail and the program will return to its initial state. One reason for a failed 
configuration update could be a network failure. 



4.5 Security Policy Enforcement 

Instead of presenting another high level policy definition language (see [8] [5]) we 
took a hands- on approach to solving the problem of security policy management 
in distributed network. We will include in our prototype implementation the 
support for configuring firewall and VPN policies. 

Although any protocol capable of traffic encryption could be used, we chose 
the IPSec for encrypting the traffic in the virtual security zones. The IPSec 
being a part of the forthcoming IPv6 standard, will most probably have a strong 
position in encrypting future network traffic, not forgetting its already wide use 
in the IPv4 networks. We also wanted to combine the VPNs with the distributed 
firewall concept to provide a totally isolated VPN or virtual security zone. 

A comprehensive security solution can not depend solely on a packet filtering 
firewall although the firewall can be a crucial part of it. To secure a node we need 
to control several different things. We have listed some of the most important 
ones in the following list: user or program access rights, filtering incoming and 
leaving traffic, encrypting the leaving traffic, user authentication and authoriza- 
tion, and intrusion detection 

Firewall’s purpose is to enforce the security policy defined by the security 
administrator. It accomplishes this by filtering the traffic at packet, stream or 
application level. According to Ziegler in Linux Firewalls [20], a packet filter- 
ing firewall can protect you against the following threats: some source address 
spoofing, useful information revealed in response to port scan, malformed broad- 
cast packets used to identify UNIX systems, some forms of network mapping, 
some clenial-of-service attacks, source-routed packets, some forms of fragmenta- 
tion bombs, local mistakes that affect remote sites, access to private Local Area 
Network (LAN) services, and additional protection against local server miscon- 
figurations 
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However, as we pointed out already in the introductory chapter, a firewall 
can only be as good as its administrator is. In a centralized remote configuration, 
the hopefully highly competent security administrator can verify that the con- 
figuration is really error free before distributing the configuration to managed 
nodes. Centralized administration also makes it easy to change the configuration 
very rapidly throughout the network if a flaw is found. 



4.6 Communication Model between the Managed Nodes 

We wanted to let the managed nodes communicate using a private address space, 
while on the other hand we wanted to provide a secure communication channel 
over the public network. Analysis of the different VPN technologies lead us to 
the combination of two of these - namely GRE with IPSec. GRE provides the 
tunneling of the private addresses, while IPSec handles the data encryption and 
integrity protection. 

Using this approach we can form logically separate networks from the un- 
derlying public IP address space. Only the virtual IP-address is provided for 
applications, thus making those independent from the underlying public IP- 
address. In other words, we will use the public IP-addresses of the nodes just 
for packet transmission and encapsulate the virtual IP-address at the receiving 
node. Combining the end point firewalls to this structure will lead us to the 
construction of a virtual security zone. 



5 Implementation 

J2EE was chosen as the server implementation environment because it supports 
the Java servlet and Java Server Pages (JSP) technologies, and thus enables easy 
development of web frontends. 

Java servlets are server side components that handle the client requests in 
an efficient and highly versatile way. JSPs are used to create the presentation 
front-end for the data that the servlets provide. JSP files are interpreted by 
the Apache Tomcat to Hypertext Markup Language (HTML) pages that can 
be shown by the client in a web browser. The actual data is stored inside a 
relational database system. Apache Ant [11] is a build tool for Java, developed 
in the Apache Jakarta Project. It uses feature rich XML based configuration 
language to describe the build and deployment process. All build scripts for our 
project were written using the scripting language of the Ant. 



5.1 Software Components 

In Figure 3 we have depicted the classes for the SPM server and how they are 
divided into packages. The web package consists of the two servlet classes which 
handle the requests made by the security and network administrators from their 
web browsers. These classes work in close connection with the classes in the util 
package. 
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Fig. 3. Classes and packages for Security Policy Manager 



The util package includes most of the advanced functionality embedded into 
the system. In advance to having the actual logic for forming the XML based 
configuration files for managed nodes (PolicyMaker), it includes worker classes 
for reading certificates from keystore (CertReader), encrypting data (Encryptor) 
and notifying the client hosts about configuration changes (Notifier). The data 
acquired from database is handled using the classes in the valueObject package. 

Configuration data is saved into object structure which corresponds to the 
XML presentation we have introduced. The corresponding classes are located in 
the shared package, which as the name indicates, is shared between the SPM 
and SPA applications. A configuration may have any number of IPSec groups 
and each IPSec group may have any number of end-points. End-points can have 
a tunnel dependency if the private IP addressing is in use. Data persistence is 
handled by the DataAccess class in the dbAccess package. It provides methods 
for storing, querying and deleting data. The actual database access is naturally 
done using SQL language. 



5.2 User Interface for Administrators 

The Security Policy Manager provides a convenient web-based user interface for 
network and security administrators. Being web-based, the interface is available 
everywhere there is a web-browser. The connection between the web-browser and 
the server is protected with TLS/SSL and the administrators are authenticated 
using username and password. 

The security administrator can conveniently select the nodes he wants in the 
zone by clicking the radio box next to the hostname and IP address. He also 
needs to define a name for the zone and a shared secret that the zone members 
will use to authenticate each other. This secret should probably be generated 
automatically by the system because the administrator is likely to choose easy 
and too short shared secrets. The last field allows the administrator to give a 
virtual network address space for the chosen managed nodes. 
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5.3 Security Policy Agent 

The Security Policy Agent (SPA) is the daemon process running in the nodes 
we want to manage remotely. It includes functionality for retrieving, processing 
and installing the configuration data. 

The SPA has three packages - core, shared and util. In the core package 
is the main program class for the client called SPAgent. It is responsible for 
reading client specific configuration from initialization file, retrieving the initial 
configuration from one of the directory servers, and for starting the process 
listening for incoming configuration updates. 

6 Conclusions 

In this study we constructed a system for centralized management of virtual 
security zones. The choice for policy transfer from centralized management node 
to the managed nodes was an XML based policy file. The integrity and confi- 
dentiality of the file was protected using strong cryptography. The actual policy 
enforcement was done by the policy enforcement point in the managed node. 
To prevent users and local administrator from changing the security policy the 
security administrator has set, the policy enforcement point should be tamper 
resistant. 

We also presented a new concept called a virtual security zone. The members 
of the virtual security zone are isolated from the underlying public IP network 
using tunneling and encryption. In our implementation the traffic inside the vir- 
tual security zone was encrypted using the IPSec protocol. Applications running 
on the nodes can be separated into different zones using virtual IP addresses 
provided by the GRE tunneling. 

The management of security policies in a distributed environment has tra- 
ditionally been a task including lot of handwork. By handwork we mean that 
the configurations of the hosts are either locally or remotely set up using a com- 
mand line interface. Our system provides an easy way to define virtual security 
zones that can span hosts in multiple mutually untrusted networks in a central- 
ized manner. The configuration is done securely by using strong cryptography to 
provide confidentiality as well as integrity protection for the configuration data. 
We also provided a web based management front-end for the administrators, 
that made the security administration independent from time and place. 

One interesting area for further research would be the support for the mobility 
of the managed hosts. While our system could provide limited mobility with 
slight modifications, further research in the area would be needed to enable the 
managed hosts move freely while still maintaining the security policy the security 
administrator had set in the first place. 
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Abstract. Distance vector routing protocols (e.g., RIP) have been widely used 
on the Internet, and are being adapted to emerging wireless ad hoc networks. 
However, it is well-known that existing distance vector routing protocols 
are insecure due to: 1) the lack of strong authentication and authorization 
mechanisms; 2) the difficulty, if not impossibility, of validating routing updates 
which are aggregated results of other routers. In this paper, we introduce a 
secure routing protocol, namely S-RIP, based on a distance vector approach. In 
S-RIP, a router confirms the consistency of an advertised route with those nodes 
that have propogated that route. A reputation-based framework is proposed for 
determining how many nodes should be consulted, flexibly balancing security 
and efficiency. Our threat analysis and simulation results show that in S-RIP, a 
well-behaved node can uncover inconsistent routing information in a network 
with many misbehaving nodes assuming (in the present work) no two of them are 
in collusion, with relatively low extra routing overhead. 

Keywords: Routing Security, Distance Vector, Distance Fraud, Security Analysis 



1 Overview 

It is well-known that today’s Internet is not secure. Both Internet applications and the 
underlying routing infrastructures are vulnerable to a variety of attacks. Although a 
majority of incidents reported so far are realized by the exploitation of software vulner- 
abilities in client and server machines, it has been noted long ago that abusing routing 
protocols may be the easiest way for launching attacks [2], and a single misbehaving 
router can completely disrupt routing protocols and cause disaster [23]. This viewpoint 
has been more recently expressed by a group of network and security experts [4]. 

There are many factors that make today’s routing infrastructures insecure. Three of 
them are as follows. 1) There are no strong security services built into routing protocols. 
Many routing protocols only provide weak authentication mechanisms, e.g., plain-text 
password or system-wide shared keys, for authenticating peers or routing updates. As 
a result, it is easy for an adversary to gain access to the routing infrastructure and ma- 
nipulate routing information. 2) Software vulnerabilities and misconhgurations expose 
routing infrastructures to severe risks. 3) Most routing protocols assume a trustworthy 
environment. In the case where no authentication mechanisms are implemented, routing 
updates are accepted with only rudimentary validation. When authentication mechanisms 
are present, routing updates are verified for the correctness of data origin and integrity 
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only. However, after a route update is verified to be “authentic”, the routing information 
conveyed in the update is trusted and used to update the recipient’s routing table. This is 
risky since data origin authentication, which includes data integrity [17], cannot guaran- 
tee the factual correctness of a message. A malicious entity or a compromised legitimate 
entity can send false information in a correctly signed message. A recipient can detect 
unauthorized alteration of the message, but cannot tell if the information conveyed in 
the message is factually correct unless the recipient has the perfect knowledge of what 
it expects to receive. 

The difficulty of validating DV routing updates arises due to the fact that they are the 
distributed computational results of other nodes [22,31]. Mittal and Vigna [18] propose 
to use intrusion detection sensors for validating routing advertisements by comparing a 
routing update with a master routing database that is pre-computed off-line. One disad- 
vantage is that their approach cannot prevent fraudulent misinformation from poisoning 
others’ routing tables, although it may be able to detect it. Hu, Perrig, and Johnson [9] 
propose to use hash chains and authentication trees to authenticate the distance of a 
route. However, their approach does not address longer distance fraud. 

We present a secure DV routing protocol, namely S-RIP, based on RIP [15], which 
can prevent router and prefix impersonation, as well as shorter and longer distance 
fraud. In S-RIP , an advertised route is validated for its factual correctness before being 
used to update a routing table. Given the difficulty of validating the factual correctness 
of routing information in a DV routing protocol, we propose to use consistency as an 
approximation of correctness. An advertised route is treated as correct if it is consistent 
among those nodes that have propagated that route. Unless those nodes involved in a 
consistency check are in collusion, with high confidence a consistent route is correct. 
By this approach, we hope that nodes surrounding a misbehaving node will uncover 
inconsistency and prevent misinformation from further spreading. 

A reputation-based framework is proposed for determining how many nodes to in- 
volve in a consistency check, providing the flexibility for balancing security and effi- 
ciency. Firstly, the notion of either trusting or distrusting a node is replaced by node 
reputation measured by a numeric value. Although in an intra-domain routing protocol 
(e.g., RIP), routers are under a single administrative domain and tend not to be mutually 
suspicious, they could be compromised due to software flaws. Malicious nodes can also 
manage to join a routing domain by exploiting routing vulnerabilities. Therefore, fully 
trusting any individual node even in an intra-domain routing protocol may introduce the 
vulnerability that a malicious node can call into question the legitimacy of other nodes. 
Node reputation provides the flexibility to relax this notion, and can be interpreted as 
an estimation that a node will provide correct information in the near future. Secondly, 
we propose an efficient method for computing the accumulated confidence in the cor- 
rectness of a consistent routing update from the reputations of those nodes involved in 
the consistency check. Combined with confidence thresholds, this method effectively 
creates a sized window for determining how many nodes to involve in a consistency 
check. 

The sequel is organized as follows. Section 2 analyzes RIP vulnerabilities. Section 3 
presents security objectives and mechanisms of S-RIP. The reputation-based framework 
is presented in Section 4. S-RIP is presented and analyzed in Section 5. Section 6 presents 
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simulation results. Section 7 reviews related work for securing routing protocols, with 
emphasis on securing DV routing protocols. Further comments and future work are 
discussed in the last section. 



2 Background: RIP Vulnerabilities 

RIP (we mean RIPv2) is an Internet Standard intra-domain DV routing protocol (see [15] 
for details). Despite certain limitations, e.g., the maximum distance between two nodes 
is 15 hops, it is still used by many small and medium size organizations (including some 
universities). RIP has several known security vulnerabilities. Five of them are discussed 
below. 

1) An unauthorized node can easily join a routing domain and participate in routing 
operations. This is referred to as router impersonation. RIPvl [8] does not have any au- 
thentication mechanism. RIPv2 only uses a clear-text password for authenticating peers. 
Since a clear-text password can be easily captured, it provides only marginal additional 
security in practice. Keyed MD5 has been proposed [1] to replace the password-based 
authentication mechanism. However, it is still vulnerable in that one compromised router 
discloses keying materials of every other router in the network. 

In addition, RIP does not have any mech- 
anism for preventing a questionable node (an 
unauthorized node or a compromised/malicious 
legitimate node) from advertising fraudulent 
routing information about distance or next hop. 

2) A questionable node can claim a zero dis- 
tance to a non-directly connected network or a 
nonexistent network. This is often referred as 
prefix impersonation. The proposed MD5 au- 
thentication [1] requires a system- wide shared 
secret key(s). This makes router impersonation 
harder, but cannot prevent prefix impersonation. 

Although prefix impersonation is a bigger issue 
in inter-domain routing protocol (e.g., BGP), it 
can also cause serious problems in intra-domain 
routing protocol (e.g., RIP). Figure 1 shows that 
a malicious node can easily launch service disruption (a type of denial of service) attacks 
by prefix impersonation. A similar incident (referred to as a blackhole) has occurred in 
the ARPANET [16]. 

3) A questionable node may claim a distance shorter than the actual distance to a 
destination. This is called shorter distance fraud. This fraud can be used to attract traffic 
to launch a variety of attacks (e.g., eavesdropping, session hijacking). 

4) A questionable node can claim a distance longer than the actual distance for a 
destination. This is called longer distance fraud. This fraud can be used to avoid traffic, 
which may lead to unfair utilization of network links and cause network congestion. 
Thus, it can be used to launch a denial of service attack. This fraud is different from 
malicious packet dropping attacks. While they both result in packet dropping, the latter 




Fig. 1. mi advertises a zero distance 
route for B. As a result, V\ ’s routing table 
is poisoned by an incorrect route for B. 
Traffic from A to B will be forwarded by 
Vi to mi, which causes service disrup- 
tion against A since m i does not have a 
route to B other than the one via vi. 
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can be detected by known techniques (e.g., secure traceroute [20]) while the former is 
more stealthy. 

5) A questionable node may advertise arbitrary routing information or carefully 
crafted routes to poison others’ routing tables, e.g., to cause routing loops or have invalid 
routes installed, and can also provide false information on a next hop. 



3 Security Objectives and Mechanisms of S-RIP 



To counter security vulnerabilities of RIP, we propose a new secure DV routing protocol, 
namely S-RIP. The security objectives of S-RIP include: 1) preventing router imperson- 
ation; 2) preventing prefix impersonation; and 3) preventing distance fraud (both shorter 
and longer). Fraud can be committed by individual nodes or colluding nodes. In this 
paper, we only consider uncoordinated individual fraud and leave the discussion of col- 
lusion to the future work. Our proposed mechanisms for achieving the above objectives 
are discussed below. 



3.1 Preventing Router Impersonation 

To prevent router impersonation, we require Assumption A1 : every router shares a differ- 
ent key with every other router in a RIP domain. With A 1 and an authentication algorithm 
(e.g., keyed MD5), a router can effectively detect router impersonation by validating a 
message authentication code (MAC) of a routing update message. Pair-wise shared keys 
make it more difficult for an unauthorized node to impersonate a legitimate node, and 
ensure that the keying materials of one router will not be disclosed when another router 
is compromised. Of course, use of shared keys results in additional complexity; due to 
space limitations, we omit further discussion here. 



3.2 Preventing Prefix Impersonation 

To prevent prefix impersonation, we require Assumption A2: there is a central authority 
(e.g., a network administrator) with perfect knowledge of which router is physically 
connected to which subnets in that autonomous system (AS). Such perfect knowledge, 
or router-prefix mapping, is realistic for an AS since network configurations are admin- 
istratively controlled by a single authority. The router-prefix mapping is then securely 
distributed to each router, e.g., it can be pre-configured on each router. Ongoing update 
(e.g., additions of subnets or routers) can then be done through a secure channel (e.g., 
SSH) between the central authority and each router. Although network topology may 
be dynamic (e.g., caused by link failures), we expect router-prefix mapping is relatively 
static since addition/deletion of subnets usually occurs far less frequently than link fail- 
ures. Other alternatives can also be used to prevent prefix impersonation, e.g., address 
attestation in S-BGP [14], authorization certificates in soBGP [32], etc. However, they 
may require a public key infrastructure, which has its own drawbacks. 
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3.3 Preventing Distance Fraud 

Shorter and longer distance frauds are difficult to prevent. In a distance vector routing 
protocol, routing updates received by a node are computational results or aggregated 
routes of other nodes. Unless a node has perfect knowledge of network topology and 
dynamics, it appears impossible to validate the factual correctness of aggregated routing 
updates [22,31]. 

We propose to use consistency as an approximation of correctness. An advertised 
route is validated by cross checking its consistency with the routing information of those 
nodes from which this route is derived. If the route is consistent among those nodes, 
it is treated as correct. Otherwise, incorrect. For example, in Figure 2, when node V 2 
advertises to v\ a 2-hop route for i>5 with V 3 as the next hop, V\ queries U3’s route for U5, 
which is 2 hops. Since i^’s route for v-, is supposed to be one hop longer than 03’s route 
for V 5 (this is specifically based on RIP, but can be easily generalized), an inconsistency is 
detected. Although v\ does not know which node ( i>2 or V3) provides invalid information, 
V\ knows that something is abnormal with this route. Therefore, this route is dropped. If 
V 2 advertises a 3-hop route for V 5 , it is consistent with v-^’s 2-hop route. Thus, it may be 
accepted. §5 presents the algorithm details for consistency checks and analyzes various 
threats. 

To support consistency checks, we require As- 
sumption A3: a node indicates (either voluntarily for 
direct neighbors or upon request otherwise) the next 
hop of each route in its routing table. For example, in 
Figure 2, V 2 should tell V\ that V 3 is the next hop on 
the route for V 5 . V 3 should also tell v\ that V 4 is its next 
hop to V 5 upon request. Requests can be made by RIP 
route request or other mechanisms (e.g., SNMP MIB query [3] ). If a node fails to provide 
information on next hops, its behavior is called into question. 

One property of a DV routing protocol is that a node only communicates with its 
direct neighbors and does not need to maintain the network topology beyond its direct 
neighbors. In a link state (LS) routing protocol, a node advertises its link states to every 
other node in the network by flooding, and each node maintains a whole view of the 
network topology. A3 allows a node to query non-direct neighbors, which expands node- 
to-node communication boundary in a DV routing protocol to a dynamic area (by our 
reputation-based approach §4). 

We thus note that our approach falls in between the DV and LS approaches. Pic- 
torially, the communication range of an LS node covers the whole network (flooding), 
while the communication range of a traditional DV node only covers its direct neigh- 
bors (neighbor-to-neighbor). In S-RIP , the communication range of a node is dynamic. 
Although it is certainly beyond direct neighborhood and could reach the whole net- 
work, most likely, it will only cover a nearby neighborhood (e.g., within 2 or 3 hops) 
dependent on window size (§4.3). Therefore, additional routing overhead generated by 
non-neighbor querying is limited, as confirmed by our simulation results in §6. Require- 
ment of storage space is also increased in S-RIP, but very slightly since an S-RIP node 
only needs to maintain the information of remote nodes when they are being or will be 
consulted for a consistency check. 




—1— 



Fig. 2. Consistency Checks 
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Another question which arises is: how does a node query a remote node if it does not 
have a known route for that node? For example, in Figure 2, for iq to validate a route 
for t> 3 , iq may need to query V3. However, rq cannot talk to V3 if it does not have a 
route for V3. This is a known problem that a secure routing protocol relies upon a routing 
protocol for node reachability. In S-RIP , a temporary routing table is maintained, which 
contains all routes to be validated. The temporary routing table is only used for route 
validation (not for routing data traffic). When a route passes a validation, it is moved to 
the regular routing table and can be used for routing data traffic. In the above example, 
iq first installs the route for w 3 into the temporary routing table, and sends to v 2 a routing 
request destined for 113. v 2 should have a route for V3 since it advertises such a route to iq 
(otherwise, it is misbehaving). When 03 receives a route request from tq , it sends back 
to tq a route response via a route either in its temporary routing table or the regular one. 
This route request and response process incurs additional routing overhead, but also adds 
another level of assurance that intermediate nodes are actually forwarding packets. If 
we can make a route request or response message indistinguishable from a normal data 
packet (e.g., by IPSec ESP [13]), this process may detect forwarding level misbehavior, 
(i.e., a router advertising correct routes but does not forward data packets). 

To implement A3 in RIP, the next hop field in a RIP routing update message can 
be utilized. In RIP, the next hop field is only used for route optimization (avoiding an 
extra hop). For example, v - 2 will not include V 3 in the next hop field (by setting it to 0) 
unless it believes that tq should forward traffic destined for v$ directly to V3. With A3, 
v 2 voluntarily includes V 3 in the next hop. This changes the meaning of a next hop from 
this is your next hop to this is my next hop. Thus, A3 allows a receiving node, instead of 
an advertising node, to decide which node should be the next hop. Despite the change of 
the meaning, A3 is still compatible with RIP since a receiving node will ignore the next 
hop field (treats it as null) if it is not directly reachable. To interoperate with an existing 
implementation of RIP, an S-RIP node may get next hop information from a RIP node 
by external mechanisms, e.g., SNMP MIB query. 

4 Reputation-Based Framework 

In this section we present a reputation-based framework, consisting of a reputation 
update function, an efficient method of computing accumulated confidence, localized 
rules for processing routing updates, and a sized window method for balancing security 
and efficiency. 

4.1 Reputation Definition 

We propose to use node reputation as an estimation of the confidence in that a node 
will provide correct routing information in the near future. Every node assigns an initial 
value as the reputation of every other node in a network. A node’s reputation is then 
dynamically updated by Equation 1 . The detail of how this equation is derived is given 
in [30] . Many possibilities exist for c,; (j,t + 1) . We propose Equation 2 for its simplicity. 

r i{j>t + 1) = — (1) 
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. J 0.5 if j provides consistent information at time t 

otherwise (e.g., if j provides conflicting information at time t) 

One property of Equation 1 is that if ( j , t) ^ 1, r* (j, t + 1) will be always less than 
1. Thus, if node i does not assign an initial value of 1 or higher as j’s reputation, r, ( j ) 
will always be in the range [0, 1). We propose Equation 3 for computing an accumulated 
confidence from node reputation in the correctness of a routing update consistent among 
a group of nodes. 

Definition 1 (Accumulated Confidence) Let r x (vi),r x (v 2 ), ■■■ , r x (v n ) be x’s rating 
of the reputation of nodes V\ , i >2 , • ■ - , v n , respectively. In the case that routing information 
from nodes tq , u 2 , ■ ■ ■ , v n , is consistent, node x 's confidence in that information, denoted 
by r x (v[l..n]), is defined as follows, where u[l..n] denotes V\,V 2 , ■ ■ ■ , v n : 



{ r x (v i) if n = 1 

rxM + (1 - r x (v!)) • r x (v 2 ) ifn = 2 ( 3) 

r x (v[l..n - 1]) + (i - r x (v[l..n- 1])^ • r x (v n ) if n > 2 

Although developed independently based on our intuition, it turns out that Equation 
3 is consistent with Dempster-Shafer theory (DST) of evidence reasoning [5,27] if we 
assume that in our case, for all i (1 < i < n), v, acquires its information from an 
independent source. The proof is given in [30]. The advantage of Equation 3 is that it 
is intuitive and computationally efficient. Although DST is more general, e.g., it can 
handle conflicting information, it is computationally less inefficient since it involves set 
operations. 



4.2 Validation Rules 

We propose a set of rules for determining how to treat routing advertisements based on 
node reputation. Two thresholds (9 1 , 62 ) are used to divide the reputation domain into 
three levels, namely low, medium, and high. 

Rule 1 (Low Reputation). If node j’s reputation rated by i is in the low range (0 < 
r i(J ) < 9 1 ), node i will ignore a routing advertisement from j without cross-checking 
its consistency with any other node(s). 



Rule 2 (Medium Reputation). If node j ’s reputation rated by i is in the medium range 
(9 1 < rfij) < 62 ), node i will cross check the consistency of a routing advertisements 
from j with other node(s). 



Rule 3 (High Reputation). If node j ’s reputation rated by node i is in the high range 
(92 < 'i'i(j) < 1), node i will cross check the consistency of a routing advertisement 
from j with only one other node. 
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4.3 Sized Windows 

Since there may be multiple nodes having propagated an advertised route, a mechanism 
is required to decide how many nodes to involve in a consistency check. The more nodes 
consulted (which agree with the the advertised route), the higher the confidence acquired 
in the correctness of that route; but the network overhead will also be higher. We use a 
sized window as a mechanism for balancing the trade-off between security and efficiency. 
The size of the window is the number of the nodes consulted in a consistency check. 
The window size starts from 1 . In other words, there is only one node in the window 
before the consistency check of an advertised route, which is the advertiser of that route. 
The window size grows by one, or an additional node is consulted, if the computed 
confidence using Equation 3 in the correctness of that route is less than 6 * 2 - The window 
size keeps growing for the advertised route until 1 ) an inconsistency occurs, i.e., a node 
reports conflicting information; or 2 ) all the nodes in the window agree upon the route, 
and 2 . 1 ) the computed confidence is greater than O 2 ', or 2 . 2 ) all informed nodes have 
been involved. In case 1), the route fails the consistency check and is dropped. In case 
2 ), the route succeeds the consistency check and is accepted. 



5 Secure Routing Information Protocol ( S-RIP ) 

We present the detail and analysis of S-RIP. For an advertised route [dest, dist, nh ], we 
use vo,Vi, and v n to represent the recipient, the advertiser, and the ultimate destination 
respectively. To be more specific, we use dist(vi,v n ) and nh(v i,v n ) to represent the 
distance and the next hop respectively from V\ to v n for this particular route. 



5.1 S-RIP 

When router vo receives from V\ an advertised route [v n , dist(vi,v n ), nh(v\, v n )], vq 
validates the route as required by RIP [1]. If the route passes the validation, and will be 
used to update uo’s routing table, S-RIP is triggered to perform additional validations. 
S-RIP will NOT be triggered if the advertised route does not indicate a route change or 
a topology change. Although the timer associated with this route will be re-initialized, 
there is no need to re- validate the route since such a validation should have been done 
when the route was first installed in i>o’s routing table. Highlights of S-RIP on validating 
[■ v n , dist(v i,v n ), nh(v\, v n )] are given immediately below. More details are presented 
in the remainder of this section. 

1 . Is the advertised route self-consistent? If not, drop the route, 

2. If dist(v 1 , v n ) = 0, Vo performs router or prefix authentication. If the authentication 
succeeds, vq accepts the route. Otherwise, drops it. 

3. If 1 < dist(vi,v n ) < 15, vq checks the consistency of 

[v n ,dist(vi,v n ),nh(vi,v n )]. If the consistency check succeeds, Vo accepts 
the route. Otherwise, drops it. 

4. If dist(v\,v n ) > 15, Vq accepts the route without validating it. 
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Self-consistency Check. Vq checks if [v n , dist(v i, v n ), nh{v \ , v n )] is self-consistent. 
1) If v\, V2, or v n is not a legitimate entity, the route is dropped. A router is legitimate 
to vq only if vq shares a secret key with it. 2) If dist(v\,v n ) = 0, nh(v i,v n ) should 
be V\ itself since the advertised route is for v\ or a subnet directly attached to V\ . 3) If 
1 < dist(vi,v n ) < 15, the next hop must not be Vq or v\. iq should not advertise a valid 
route back to r>o from which it learns that route. Otherwise, the problem of counting 
to infinity occurs. Although RIP recognizes this problem and proposes split horizon (or 
with poisoned reverse) for solving it, a misbehaving node may not follow the rule and 
intentionally create the problem. 

Router/Prefix Authentication. If dist(v\ ,v n ) =0, iq advertises to vo a route for itself 
or for a subnet directly attached to V\. If the route is for V\ itself, message authentication 
already provides data origin authentication [17]. If the route is for a subnet, the router- 
prefix mapping (§3.2) is used to validate if v-\ is physically connected to that subnet. If 
the validation succeeds, the router is accepted. Otherwise, dropped. 

Consistency Check. If 1 < dist(vi,v n ) < 15, iq advertises to vo a reachable route 
for v n . vq will check the consistency of that route with nh(v i,v n ), let’s say v 2 . I'o will 
request from V2 the routing information from V2 to v n and iq. The message flows are 
given in Table 1 , where * denotes a information field to be provided. The advertised route 
from v\ for v n is treated as consistent with 02’s routing information if dist(v2, fi) = 1 
and dist(vi,v n ) = dist(v 2 , v n ) + 1 (based on RIP). Otherwise inconsistent. 

If v\ is consistent with V2, vo will 
use Equation 3 to compute an ac- 
cumulated confidence, r Vo (v i,v 2 ). If 
i~v 0 ( v i’ v 2 ) > 6*2, vo accepts the ad- 
vertised route as correct. Otherwise, vo 
will consult with additional nodes based 
on the next hop information. Before 
vq sends a route request to node Vi, 
it checks if a network loop has been 
formed. A network loop is formed if the node (ufi to be consulted has been consulted 
before. In the case that a loop is detected, vo drops the advertised route. Otherwise, 
the consistency check continues until one of the following three conditions holds: 1) 
r„ 0 (i>[l..£;]) > 02- In this case, the advertised route from V\ is treated as correct 
by v 0 . 2 ) r„ 0 (t'[l..fc — 1]) < d 2 , and disagrees with 1, i.e., dist(vk-i,v n ) ^ 
dist(vk, v n ) + dist(vk, Vk-i). In this case, r>o treats the advertised route as inconsistent. 
3) v n has been consulted. If v n disagrees with v n ^\. the advertised route from iq is 
treated as inconsistent. Otherwise, Vq will performs router/prefix authentication with v n . 
If v n succeeds the authentication, the advertised route is treated as correct no matter what 
the value of r„ 0 (ri[l..n]) is. Otherwise, the advertised route is dropped as v n provides 
incorrect information. 

Infinity Route. If dist(v\,v n ) > 15, iq advertises to vq an route for v n which is 
infinite from i> 0 . i'o does not validate an infinite or unreachable route since it is trivial 
for V\ to make a valid route unreachable if it misbehaves, e.g., by disabling a network 
interface or dropping packets. The consequence of such possible misbehavior is that 
vo will drop the route and will not forward packets to v n through V\. If there is only 



Table 1 . Routing Request and Response 



I'o v 2 


bi,*,*] 


Vo <- V 2 


bn, dist(v 2, v n ),nh(v 2 , v n )\ 
[v\,dist(v2, vi),nh(v2, fi)] 
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one route in the network from vq to v n and it goes through V\, vo will not be able to 
communicate with v n . It seems to be hard to force a misbehaving node forward packets 
for others if it is determined not to do so. Therefore, we hope a network is designed with 
redundancy to accommodate a single point of failure. In that case, hopefully could 
find an alternative route to v n , bypassing the misbehaving node iq. 



5.2 Threat Analysis 

A node may misbehave in several ways: 1) advertising false routing information; 2) 
providing false routing information specifically during a consistency check; 3) dropping 
a validation request/reply message or not responding to a validation request; 4) manip- 
ulating a validation request/reply message originated from other nodes; 5) providing 
correct routing information but not forwarding data traffic. 

1 ) Advertising false routing information. Given a route [v n , dist(v \ , v n ), nh(v i, v n )] 
advertised by node rq to Vq, tq may provide false information about v n , dist, nh, or any 
combination. 

1.1) Destination Fraud. V\ may advertise a route for a nonexistent destination v n . 
Under our proposal, such misbehavior can be detected since vq does not share a secret 
key with v n if it is not a legitimate entity in the network. 

1.2) Distance Fraud. iq may advertise a fraudulent distance to a destination v n , e.g., 
longer or shorter than the actual distance. If dist(v\,v n ) = 0, but v\ is actually one 
or more hops away from v n , in our proposal, Vq can detect this fraud by router/prefix 
authentication. Other shorter or longer distance fraud can be detected by cross checking 
consistency with those nodes which propagated the route in question. There are three 
scenarios in which a consistency in the corroborating group may not represent correct- 
ness: a) the nodes in the corroborating group are simultaneously misled by one or more 
misbehaving nodes; b) the nodes in the corroborating group are colluding; c) a subset of 
the corroborating group are colluding and mislead the rest of the nodes. Our idea is that 
by increasing the size of the corroborating group, it is increasingly unlikely that these 
scenarios will not be detected. 

1.3) Next Hop Fraud. Node v\ may provide a fraudulent next hop to support its claim 
of a longer or shorter distance. First, tq may use fictional nodes as next hops. iq then 
intercepts from vq the subsequent validation requests to these nodes and send back false 
responses on behalf of them. In our scheme, a fictional node can be detected since vq 
does not share a prior secret with it. Second, v\ may use a remote node (i.e., a node not 
directly connected to iq) as the next hop. For example, suppose tq is 5 hops away from 
v n . If iq learns that v rn is one hop away from v n , it may claim to be two hops away from 
v n and use v m as the next hop. Unless v m is willing to provide false information (e.g., 
dist(v m ,vi) = 1) to cover tq’s misbehavior, i>o will be able to detect this fraud. In the 
case that v m is willing to collude with tq, we treat it as the case that tq establishes a 
virtual link (e.g., TCP connection) with v m , and they forward packets over the virtual 
link to each other. This misbehavior is equivalent to the wormhole attack studied by 
Hu, Perrig, and Johnson [10]. S-RIP may detect such attack if a prior knowledge of 
node physical connections is assumed. Otherwise, the proposed Packet Leashes defense 
mechanism [10] should be used. 
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2) Providing false routing information in a consistency check. The fraud could be on 
distance or next hop. When the false information cause inconsistency, the consequences 
are: 2.1) correct routing advertisements may be disregarded by well-behaved nodes. We 
think it is not to the advantage of a misbehaving node to mislead another node by this 
type of misbehavior since it may be best to avoid a “valid” route through a misbehaving 
node in any case. By dropping a route involving a misbehaving node, the validation 
node may take an alternative good route, albeit possibly suboptimal. 2.2) the reputation 
of a well-behaved node may be decreased as a result of false information arising from 
a misbehaving node. In the worst case, if node vfs rating of node iq’s reputation is 
decreased to the low range, vq will disregard v -\ ’s routing advertisements for a certain 
period of time. Since consistency checks occur only on route changes, a misbehaving 
node, v m , may only damage the reputation of rq’s reputation when there is a route 
change which involves both v m and v\ in a consistency check. v m ’s own reputation may 
also be decreased if it provides false information. Therefore, v m is unable to damage 
another node’s reputation at its will. On the other hand, iq has other chances to increase 
its reputation when it advertises good routes (without going through v m ) to i>o- So the 
effect of the type of misbehavior depends on the network topology and the location of 
the misbehaving nodes. If one or more misbehaving nodes are located on the links which 
can form a network-cut, they may be able to completely separate the network through 
collusion. It would appear no approach is resilient to such misbehavior. 

3) Dropping a validation request/reply message or not responding to a validation 
request. This misbehavior can disrupt a validation process. As a result, the route being 
validated will be dropped. We do not consider this as a major drawback since dropping 
a route with misbehaving nodes en route allows an alternative route to be discovered. 
An adversary may launch this type of attack when it is not willing to forward packets 
for other nodes. As discussed before, a misbehaving node can avoid traffic by many 
other ways, e.g., dropping packets based on source or destination addresses, or simply 
disabling a network interface. We rely upon network redundancy and other mechanisms 
[20,12] to counter this type of misbehavior. 

4) Manipulating a validation request/response message originated from other nodes. 
If all routers are deployed with S-RIP and use MD5 for message authentication, validation 
request/response messages cannot be manipulated en route. However, communication 
between a secured router and a remote non-secured router is not authenticated. The 
consequences are: 4. 1 ) A routing response sent back by a remote non-secured router can 
be modified by an adversary en route. The adversary may modify the routing response 
in such a way that it would confirm the consistency of a false advertised route. 4.2) 
An adversary may intercept routing requests sent to a non-secured router, and produce 
false responses on behave of that router. This vulnerability can be addressed by IP 
layer security. For example, if IPSec is available, an adversary would not be able to 
manipulate or intercept routing requests or responses between two remote nodes. It can 
also be mitigated if we assume that an adversary does not have the capability to launch 
attacks in packet level. It is easy for an adversary to manipulate a routing table to make a 
router to broadcast fraudulent routing information. It may not be that easy to manipulate 
packets transmitted through a router if the adversary does not have sufficient control 
over that router, e.g., modify and compile source codes, install malicious software, etc. 
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5) Providing correct routing information but not forwarding data traffic. We can 
make routing request and response messages indistinguishable from normal data traffic 
to validate forwarding level behavior of intermediate routers. Other detection techniques 
(e.g., probing [12]) for identifying such misbehaving routers can also be integrated into 
S-RIP, we do not address the issue in this paper. 

One characteristic of S-RIP is that it does not guarantee that a validated route is 
optimal. In fact, S-RIP only validates route consistency, without considering the cost. 
S-RIP always accepts a consistent route and disregards an inconsistent one regardless 
of its cost. Therefore, optimal route involving a misbehaving node may not be used. We 
consider this as a good tradeoff between routing security and efficiency. 

5.3 Efficiency Analysis 

We consider the worst case here. The efficiency of average cases is analyzed by simulation 

(§ 6 ). 

Suppose there are n routers and m subnets in a network. The average length of a 
route is l + 1 hops. For maximum security, every router would validate every route with 
all other routers on that route. For a single route with a length of l + 1 hops, the number 
of messages required for a consistency check, including requests and responses, is 2 ■ l. 
Each message will travel a number of hops. The first request message is sent to the node 
in two hops, and will travel 2 hops. The last request message is sent to the node in / + 1 
hops, and will travel l + 1 hops. A response message will travel the same number of hops 
as the corresponding request message assuming they travel at the opposite direction of 
a same route. Therefore, the total number of hops (message transmissions) traveled by 
both request and response messages is 2 • [2 + 3 + • • • + (l + 1)] = (1 + l) ■ l. Assume 
every router keeps a route for every subnet in the network. Each router would need 
(1 + ()•/• to message transmissions for validating every route. Over the whole network, 
the total number of message transmissions in the most secure case is (1 + l) • l • m • n. 

We use RIP messages for route request and response. Each route request would need 
two route entries, one for the routing information from the recipient to the ultimate 
destination, and one from the recipient to its predecessor node on that route. The RIP 
message header is 24 bytes including authentication data, and each route entry is 20 
bytes. Thus, one route request or response is 64 bytes. Plus the UDP header (8 bytes) 
and IP header (20 bytes), a packet carrying a route request or response is 92 bytes. 
The total overhead of routing validation, in addition to the overhead of regular routing 
updates, in the most secure case, is 92 • (1 + /)•(• m ■ n bytes. 

As confirmed by our simulation (§6), the validation overhead by S-RIP is pro- 
hibitively expensive in the maximally secured case. However, S-RIP provides the flex- 
ibility for balancing security and efficiency via two configurable thresholds d\ and 62 
(§4.2). In practice, we expect that the maximally secured case may only be applied to a 
small size network (i.e., the number of nodes and network diameter are small). In other 
scenarios, 9 ± , ()•> can be adjusted to obtain a comfortable level of security and efficiency. 

S-RIP validation overhead can also be reduced by optimized implementation (e.g., 
transmitting several route requests or responses in a single message). For example, if v-\ 
advertises to vo three routes with a same next hop V 2 . i’o can send a single message with 
4 route entries to V 2 , one for each of three advertised destinations and one for V\. The 
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size of the packet carrying this message is 132 bytes, considerably less than 276 bytes 
which are the total size of three standard packets (each has a length of 92 bytes). 



5.4 Incremental Deployment 

A practical challenge of securing routing protocols is how to make the secured version 
interoperative with the existing infrastructure. Despite their technical merits, many pro- 
posed mechanisms for securing routing protocols are not widely deployed due to the 
fact that they require significant modifications to existing implementations and/or do 
not provide backward interoperability. Since it is unrealistic to expect that an existing 
routing infrastructure can be replaced by a secured version in a very short period of 
time, ideally a secured version should be compatible with the insecure protocols. It is 
also desirable that security can be increased progressively as more routers are deployed 
with the secured protocol. 

To this end, S-RIP supports incremental deployment. We propose that messages 
exchanged in S-RIP conform to the message format defined in RIP. S-RIP can be im- 
plemented as a compatible upgrade to the existing RIP, and a S-RIP router performs 
routing functions the same way as a RIP router. Therefore, deploying S-RIP on a router 
only requires a down time for the period of installation and rebooting of RIP processes. 
Since RIP router responds to a routing request from a non-direct neighbor (a remote 
node), a S-RIP router can successfully get information (albeit not authenticated) from a 
non-secured router for a consistency check. In other words, a RIP router can participate 
in a consistency check, but not initiate a consistency check. Thus, even before S-RIP is 
deployed on all routers, the routing table of a S-RIP router is partially protected as it is 
built from validated routing updates. The more routers deployed with S-RIP , the more 
reliable routing tables in the network become. Therefore, we can say that security can 
be increased incrementally. 



6 Simulation 

We implemented S-RIP in the network 
simulator NS2 as an as an extension to the 
distance vector routing protocol provided 
by NS2. S-RIP is triggered if an adver- 
tised route is used to update a recipient’s 
routing table. In this section, we present 
our preliminary simulation results on how 
routing overhead is affected by different 
threshold settings and number of misbe- 
having nodes in S-RIP. 



Table 2. Simulation Scenarios 



Maximally Secured 


<9i = 0 


02 = 1 


Partially Secured- 1 


0i = 0.1 


0 2 = 0.9 


Partially Secured-2 


0i = 0.2 


02 = 0.8 


Partially Secured-3 


CO 

O 

II 

0? 


to 

II 

O 


Not Secured 


01 = 0 


02 = o 



6.1 Simulation Environment 

Network Topology, we simulated S-RIP with a number of different network topologies. 
In this paper, we only present the simulation results for one topology which has 50 
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routers and 82 network links. Fraud: we simulated misbehaving nodes which commit 
either or both shorter and longer distance fraud (§3.3). We randomly selected 5, 10, 15, 
20, and 25 nodes to commit fraud in each run of the simulation. Note that 25 misbehaving 
nodes represent 50% of the total nodes. Each misbehaving node periodically (every 2.5 
seconds) randomly selects a route from its routing table and makes its distance shorter 
or longer. Simulation Scenarios: we simulated 5 scenarios (Table 2) by adjusting the 
thresholds 9\ and $ 2 - Each simulation runs 180 seconds. 

6.2 Routing Overhead 

To determine how much network overhead is generated by S-RIP , we compared the 
S-RIP overhead to the total routing overhead, which is calculated as the sum of S-RIP 
overhead and regular routing update overhead in RIP. Since the distance vector routing 
protocol provided by NS2 is not a strict implementation of RIP RFCs, we could not 
obtain network overhead directly from the NS2 trace file. We use 92 x+ 632 y t0 calculate 
the ratio of S-RIP overhead and the total routing overhead, where x is the total number of 
S-RIP message transmissions, y is the total number of rounds of regular routing updates, 
92 bytes is the size of the packet carrying a S-RIP message (see §5.3), and 632 bytes is 
the overhead generated by one router in one round of regular routing updates, x and y 
are derived from simulation outputs, which are used to generate Figure 3. 

6.3 Simulation Results 

By looking at the output data from the simulation, we observed that an advertised mali- 
cious route can be successfully detected by a consistency check. This is precisely what 
we expected. 

Figure 3 compares the S-RIP over- 
head in different scenarios. 1) In a max- 
imally secured network, S-RIP overhead 
is very high (about 40% of the total rout- 
ing overhead). The S-RIP overhead stays 
relatively flat when the number of misbe- 
having nodes increases. This is because 
every node needs to validate every route 
with every other node on that route. In 
our implementation, a new route is not 
considered if the current route is being 
checked for consistency. Since it takes 
long time for a consistency check to com- 
plete, most new route changes (malicious 
or non-malicious) are not checked for 
their consistency. Therefore, overhead in- 
creased by new malicious updates is insignificant. This indicates that the speed of network 
convergence is significantly slowed down. We expect that it would make no difference 
in terms of overhead if we allow a new route to interrupt an ongoing consistency check 
as several uncompleted consistency checks would generate similar amount of S-RIP 
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Fig. 3. S-RIP Routing Overhead. 
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overhead as a completed one does. 2) In the three partially secured scenarios, S-RIP 
overhead is relatively low (less than 8.6%) when there are only 10% of misbehaving 
nodes. S-RIP overhead increases significantly when the number of misbehaving nodes 
increases. Since the number of nodes involved in a consistency check is relatively low in 
these scenarios, it takes less time to complete. Thus more malicious updates will trigger 
more consistency checks and result in more S-RIP overhead. S-RIP overhead decreases 
when 6 1 and #2 are moved toward each other because: a) the number of nodes involved in 
a consistency check decreases; b) the number of routes dropped without being checked 
for consistency increases when more than 20% of the nodes misbehave. 3) There is no 
S-RIP overhead in a non-secured network since S-RIP is never triggered. 

7 Related Work 

Significant work has been done in securing routing protocols. Perlman [22] is the first to 
study the problem of securing routing protocols. Perlman classified router failures into 
simple failures and byzantine failures, and proposed use of public key signatures, source 
routing, and other mechanisms, for achieving robust flooding and robust routing. 

Smith et al. [29] proposed use of digital signatures, sequence numbers, and a loop- 
free path finding algorithm for securing DV routing protocols. One disadvantage is that 
it cannot prevent longer or shorter distance fraud. 

Mittal and Vigna [18] proposed to use sensor-based intrusion detection for securing 
DV routing protocols. One notable advantage of their approach is that it does not require 
modifications to the routing protocol being secured. Thus, it allows incremental deploy- 
ment. One disadvantage is that it cannot prevent fraudulent routing advertisements from 
poisoning others’ routing tables, although it may be able to detect them. 

Hu, Perrig and Johnson [9,1 1] proposed several efficient mechanisms using one-way 
hash chains and authentication trees for securing DV routing protocols. Their approach 
is one of the first attempts to authenticate the factual correctness of DV routing updates, 
and can prevent shorter and same distance fraud. It can also prevent newer sequence 
number fraud if a sequence number is used to indicate the freshness of a routing update. 
However, it does not address longer distance fraud. 

Pei et al. [21] proposed a triangle theorem for detecting potentially or probably 
invalid RIP advertisements. Probing messages based on UDP and ICMP are used to 
further determine the validity of a questionable route. One disadvantage is that probing 
messages may be manipulated. A node advertising an invalid route can convince a 
receiver that route is valid by: 1) manipulating the TTL value in a probing message; 
or 2) sending back an ICMP message (port unreachable) on behalf of the destination. 

Many researchers have explored securing link state routing protocols (e.g., OSPF) 
[22,19,31] and BGP [28,14,7,32], Reputation-based systems have been used to facilitate 
trust in electronic commerce [25,33]. 

8 Concluding Remarks 

We expect our framework can be applied to other non-trustworthy environments, e.g., 
inter-domain routing protocols and wireless ad hoc networks. Future research includes: 
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1 ) performing detailed analysis of S-RIP and comparing it with other secure DV protocols 
(e.g., SEAD [11]); 2) applying the framework to securing BGP [24]. 
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Abstract. Internet service providers have resisted deploying Denial-of-Service 
(DoS ) protection mechanisms despite numerous research results in the area. This 
is so primarily because ISPs cannot directly charge users for the use of such mech- 
anisms, discouraging investment in the necessary infrastructure and operational 
support. 

We describe a pay-per-use system that provides DoS protection for web servers and 
clients. Our approach is based on WebSOS, an overlay-based architecture that uses 
reverse Turing tests to discriminate between humans and automated processes that 
are part of an attack. We extend WebSOS with a credential-based micropayment 
scheme that combines access control and payment authorization in one operation. 
Contrary to WebSOS, we use Graphic Turing Tests (GTTs) to prevent malicious 
code, such as a worm, from using a user’s micropayment wallet. Our architecture 
allows ISPs to accurately charge web clients and servers. Clients can dynamically 
decide whether to use WebSOS, based on the prevailing network conditions. 



1 Introduction 

One of the main threats against the reliability of the Web services are (DoS) attacks: 
attacks that produce an excessive surge of bogus service requests against the target 
forcing it to processing and (or) to link capacity starvation. These attacks have dire 
consequences for the target’s service viability, since availability and quality of service 
are of critical importance for the majority of the modern on-line services. 

Despite considerable research on devising methods for protection against such at- 
tacks [15,29,28,26,22,32], so far none of these mechanisms has been widely adopted. 
Moreover, it has been argued recently [11] that the network DoS problem is inherently 
impossible to solve without infrastructure support. 

However, ISPs seem to be reluctant to deploy such mechanisms. Investment in the 
necessary infrastructure and operational support are discouraged because such mecha- 
nisms represent a poor value proposition: fundamentally, ISPs cannot charge users for 
the use of such mechanisms. One possible solution would be a system with the ability 
to both protect against DoS attacks and provide a service payment scheme that would 
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allow ISPs to recoup their costs and support the continued operation and maintenance 
of this infrastructure. Such incentives would motivate router manufacturers to provide 
appropriate support in their products. 

In this paper, we describe a pay-per-use system that provides DoS protection for web 
servers and clients. Our approach is based on WebSOS, an overlay-based architecture that 
uses reverse Turing tests to discriminate between humans and automated processes that 
are part of an attack. We extend WebSOS with a credential-based micropayment scheme 
that combines access control and payment authorization. Our architecture allows ISPs 
to accurately charge web clients and servers. Clients can dynamically decide whether to 
use WebSOS, based on the prevailing network conditions. 

WebSOS [23], an enriched implementation of the Secure Overlay Services (SOS), is 
a DoS -protection architecture [22] for web services. WebSOS enhances the resilience of 
Web services against congestion-based DDoS attacks, acting as a distributed firewall and 
filtering attack traffic before it reaches the target. The network immediately surrounding 
attack targets is protected by high- performance routers that aggressively filter and block 
all incoming connections from hosts that are not approved. Only a small number of 
secretly selected secure access points within WebSOS are allowed to contact the target 
directly. The rest of the nodes use the overlay network as a routing mechanism to forward 
the requests to these secret nodes (the identity of which varies in time). WebSOS uses 
Graphic Turing Tests [33] as a means to differentiate anonymous users from automated 
zombies. Upon connection to the access point, the user was prompted with a GTT 
test. By preventing large-scale automated attacks, these tests allowed enough time for 
the overlay system to heal in case of an attack. Contrary to WebSOS, we use Graphic 
Turing Tests (GTTs) after to prevent malicious code, such as a worm, from using a 
user’s micropayment wallet. This change in order can be done because our service is not 
anonymous: we have a means of authenticating the user credentials. 

We extend WebSOS to include a lightweight offline electronic payment scheme. 
Although practically any micropayment system can be used in our model, we chose a 
payment system that can inter-operate with WebSOS ’ distributed architecture and provide 
the necessary user credentials. OTPchecks [16] encompasses all these properties: it is 
a simple distributed scheme, intended for general Internet-based micropayments that 
produces bank-issued users’ credentials which can in turn used to acquire small-valued 
payment tokens. It has very low transaction overhead and can be tuned to use different 
risk strategies for different environments making it a suitable payment solution for a 
wide range of on-line services. 

The remainder of this paper is organized as follows: Section 2 gives an overview of 
Secure Overlay Services (SOS) and discusses the specifics of the WebSOS architecture 
giving an overview of the Graphics Turing Tests. At the end of this section we pro- 
vide details on OTPchecks, our micropayment scheme, and its risk strategies. Section 
3 presents a detailed description of the extended WebSOS system. The related work is 
presented in section 4. Section 5 concludes the paper. 
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2 Background 

Since our approach is based on the Secure Overlay Services (SOS) [22] architecture, we 
will start by giving a brief overview of its important aspects. 

2.1 Overview of SOS 

Fundamentally, the goal of the SOS infrastructure is to distinguish between authorized 
and unauthorized traffic. The former is allowed to reach the destination, while the latter 
is dropped or is rate-limited. Thus, at a very basic level, SOS requires the functionality of 
a firewall “deep” enough in the network that the access link to the target is not congested. 
This imaginary firewall performs access control by using protocols such as IPsec [21]. 
This generally pre-supposes the presence of authentication credentials (e.g., X.509 [6] 
certificates) that a user can use to gain access to the overlay. 




Fig. 1 . Basic SOS architecture. Access Points represent an entry point to the SOS overlay. SOS 
nodes can serve any of the roles of secure access point, beacon or Secret Servlet. 



Since traditional firewalls themselves are susceptible to DoS attacks, what is really 
needed is a distributed firewall [2,17]. To avoid the effects of a DoS attack against 
the firewall connectivity, instances of the firewall are distributed across the network. 
Expensive processing, such as cryptographic protocol handling, is farmed out to a large 
number of nodes. However, firewalls depend on topological restrictions in the network to 
enforce access-control policies. In what we have described so far, an attacker can launch 
a DoS attack with spoofed traffic purporting to originate from one of these firewalls, 
whose identity cannot be assumed to remain forever secret. The insight of SOS is that, 
given a sufficiently large group of such firewalls, one can select a very small number 
of these as the designated authorized forwarding stations: only traffic forwarded from 
these will be allowed through the filtering router. In SOS, these nodes are called secret 
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servlets. All other firewalls must forward traffic for the protected site to these servlets. 
Figure 1 gives a high-level overview of a SOS infrastructure that protects a target node 
or site so that it only receives legitimate transmissions. Note that the secret servlets can 
change over time, and that multiple sites can use the same SOS infrastructure. 

To route traffic inside the overlay, SOS uses Chord [30], which can be viewed as 
a routing service that can be implemented atop the existing IP network fabric, i.e., as 
a network overlay. Consistent hashing [19] is used to map an arbitrary identifier to a 
unique destination node that is an active member of the overlay. 

SOS uses the IP address of the target (i.e., web server) as the identifier to which the 
hash function is applied. Thus, Chord can direct traffic from any node in the overlay to 
the node that the identifier is mapped to, by applying the hash function to the target’s IP 
address. This node, where Chord delivers the packet, is not the target, nor is it necessarily 
the secret servlet. It is simply a unique node that will be eventually be reached, after 
up to m = log N overlay hops, regardless of the entry point. This node is called the 
beacon , since it is to this node that packets destined for the target are first guided. Chord 
therefore provides a robust and reliable, while relatively unpredictable for an adversary, 
means of routing packets from an overlay access point to one of several beacons. 

Finally, the secret servlet uses Chord to periodically inform the beacon of the secret 
servlet’s identity. Should the servlet for a target change, the beacon will find out as soon 
as the new servlet sends an advertisement. If the old beacon for a target drops out of the 
overlay. Chord will route the advertisements to a node closest to the hash of the target’s 
identifier. Such a node will know that it is the new beacon because Chord will not be 
able to further forward the advertisement. By providing only the beacon with the identity 
of the secret servlet, traffic can be delivered from any firewall to the target by traveling 
across the overlay to the beacon, then from the beacon to the secret servlet, and finally 
from the secret servlet, through the filtering router, to the target. This allows the overlay 
to scale for arbitrarily large numbers of overlay nodes and target sites. Unfortunately, this 
also increases the communication latency, since traffic to the target must be redirected 
several times across the Internet. If the overlay only serves a small number of target 
sites, regular routing protocols may be sufficient. 

2.2 Graphic Turing Tests 

Graphic Turing Tests(GTTs) are tests designed to provide a way of differentiating a 
human from a machine by presenting the user with a set of images and asking a questions 
about the content of the images. CAPTCHA (Completely Automated Public Turing test 
to Tell Computers and Humans Apart) is a program that generates and grade GTTs [33]. 

The particular CAPTCHA realization we use is PIX. It consists of a large database 
of labeled images. All of these images are pictures of concrete objects (a horse, a table, a 
house, a flower, etc). The program picks an object at random, finds 6 random images of 
that object from its database, distorts them at random, presents them to the user and then 
asks the question "what are these pictures of?" as shown in Figure 2. PIX relies on the 
fact that humans can relate the objects within the distorted image and current automated 
tools cannot. The human authenticates himself/herself by entering as the description of 
the object in ASCII text. Graphic Turing Tests are an independent component of our 
architecture and thus we can update it without changing any other component. 
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CAPTCHA Implementation 




"What are these pictures of? 



| Enter | 

The Captcha library was obdained from CMU CAPTCHA Project 



Fig. 2. Web Challenge using CAPTCHA PIX. The challenge in this case is “baby or babies”. 



Although recent advances in visual pattern recognition [24] can defeat some of the 
CAPTCHAs, there is no solution to date that can recognize complicated images or 
relation between images like PIX or Animal-PIX. Although for demonstration purposes 
in our prototype we use PIX, we can easily substitute it with any other instance of graphic 
turing test in case a solution to the problem presented by this specific CAPTCHA is 
discovered. 



2.3 WebSOS 

WebSOS is the first instantiation of the SOS architecture. The access points participating 
in the overlay are implemented using Web proxies with SSL to provide two layers of 
encryption. A source that wants to communicate with the target contacts a random 
overlay node, the Secure Access Point. After authenticating and authorizing the request 
via the CAPTCHA test, the overlay node securely proxies all traffic from the source 
to the target via one of the beacons. The Secure overlay access pointfSOAP) (and all 
subsequent hops on the overlay) can proxy the HTTP request to an appropriate beacon 
in a distributed fashion using Chord, by applying the appropriate hash function(s) to the 
target’s IP address to identify the next hop on the overlay. To minimize delays in future 
requests, the client is issued a short- duration X.509 certificate, bound to the SOAP and 
the client’s IP address, that can be used to directly contact the proxy-server component 
of the SOAP without requiring another CAPTCHA test. 
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In WebSOS, routing decisions are made on a per-connection basis. Any subsequent 
requests over the same connection (when using HTTP 1.1) and any responses from the 
web server can take the reverse path through the overlay. While this makes the imple- 
mentation simpler, it also introduces increased latency, as the bulk of the traffic will also 
traverse the overlay. To deal with this issue, an adaptation of the initial implementation 
was created: rather than transporting the request and response through the full overlay 
network, only routing information travels through the overlay. As before, the requester 
makes a proxy request to the SOAP. At that point, the SOAP sends a UDP message into 
the overlay, specifying the target. The message is routed to the beacon, which responds 
directly to the SOAP with information on the secret servlet for that target. The SOAP 
then connects to the servlet, which proxies the request as before, in effect creating a 
shortcut through the overlay. 

The SOAP caches the servlet information for use in future requests. That information 
is timed out after a period of time to allow for changes to propagate correctly. The same 
basic UDP protocol is used by servlets to announce their presence to (and periodically 
update) the beacons for the various targets. 

2.4 OTPchecks Micropayment System 

The general architecture of this microbilling system is shown in figure 3. In 3, the Check 
Guarantor plays the role of Provisioning, the Network User plays the role of Payer, and 
the Network Storage Provider (or another NU acting as an NSP) plays the role of the 
Merchant. Clearing is done either by a financial institution (if real money is used) or by 
a selected user of the system (when loyalty points or “play money” are used). 

In this system, The Provisioning agent issues KeyNote[4] credentials to Payers and 
Merchants. These credentials describe the conditions under which a Payer is allowed 
to perform a transaction, and the fact that a Merchant is authorized to participate in 
a particular transaction. When a Payer wants to buy something from a Merchant, the 
Merchant first encodes the details of the proposed transaction into an offer which is 
transmitted to the Payer. 

If the Payer wishes to proceed, she must issue to the Merchant a microcheck for this 
offer. The microchecks are also encoded as KeyNote credentials that authorize payment 
for a specific transaction. The Payer creates a KeyNote credential signed with her public 
key and sends it, along with her Payer credential, to the Merchant. This credential is 
effectively a check signed by the Payer (the Authorizer) and payable to the Merchant 
(the Licensee). The conditions under which this check is valid match the offer sent to 
the Payer by the Merchant. Part of the offer is a nonce, which maps payments to specific 
transactions, and prevents double-depositing of microchecks by the Merchant. 

To determine whether he can expect to be paid (and therefore whether to accept the 
payment), the Merchant passes the action description (the attributes and values in the 
offer) and the Payer’s key along with the Merchant’s policy (that identifies the Provision- 
ing key), the Payer credential (signed by Provisioning) and the microchecks credential 
(signed by the Payer) to his local KeyNote compliance checker. If the compliance checker 
authorizes the transaction, the Merchant is guaranteed that Provisioning will allow pay- 
ment. The correct linkage among the Merchant’s policy, the Provisioning key, the Payer 
key, and the transaction details follow from KeyNote’s semantics[4]. 
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Fig. 3. Microbilling architecture diagram. We have the generic terms for each component, and in 
parentheses the corresponding players in 3. The arrows represent communication between the two 
parties: Provisioning issues credentials to Payers and Merchants; these communicate to complete 
transactions; Merchants send transaction information to Clearing which verifies the transaction 
and posts the necessary credits/charges or arranges money transfers. Provisioning and Clearing 
exchange information on the status of Payer and Merchant accounts. 



If the transaction is approved, the Merchant should give the item to the Payer and 
store a copy of the microcheck along with the payer credential and associated offer details 
for later settlement and payment. If the transaction is not approved because the limits in 
the payer credentials have been exceeded then, depending on their network connectivity, 
either the Payer or the Merchant can request a transaction-specific credential that can be 
used to authorize the transaction. Observe that this approach, if implemented transpar- 
ently and automatically, provides a continuum between online and offline transactions 
tuned to the risk and operational conditions. 

Periodically, the Merchant will ‘deposit’ the microchecks (and associated transaction 
details) it has collected to the Clearing and Settlement Center (CSC). The CSC may 
or may not be run by the same company as the Provisioning, but it must have the 
proper authorization to transmit billing and payment records to the Provisioning for 
the customers. The CSC receives payment records from the various Merchants; these 
records consist of the Offer, and the KeyNote microcheck and credential from the payer 
sent in response to the offer. In order to verify that a microcheck is good, the CSC goes 
through the same procedure as the Merchant did when accepting the microcheck. If the 
KeyNote compliance checker approves, the check is accepted. Using her public key as 
an index, the payer’s account is debited for the amount of the transaction. Similarly, the 
Merchant’s account is credited for the same amount. 

The central advantage of this architecture is the ability to encode risk management 
rules for micropayments in user credentials. Other electronic systems have focused on 
preventing fraud and failure, rather than on managing it. In many cases with such systems, 
the prevention mechanisms can be too expensive for micropayments, making the risk 
management approach particularly attractive. 
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3 Overview of the Pay-per-Use Anti-DoS System 

To illustrate the overall system, we now give a thorough description of the necessary 
software and hardware an ISP needs in order to deploy our a pay-per-use DoS protection 
mechanism. 



3.1 ISP Provisioning 

The ISP first creates an overlay network of WebSOS access points (‘servlets’). In addi- 
tion, the routers at the perimeter of the site are instructed to allow traffic only from these 
servlets to reach the interior of the site’s network. These routers are powerful enough 
to do filtering using only a small number of rules on incoming traffic without adversely 
impacting their performance. 

For a payment scheme, we chose the OTPchecks system because of its inherent flex- 
ibility to accommodate different services and its ability to interoperate with a distributed 
system like WebSOS. Refer to the roles presented in the OTPchecks functional descrip- 
tion, in Figure 3; the Payer is the client connecting to the access points, the Vendor is the 
ISP providing the DoS protection service, and the web service provider (Target) is the 
clearing entity. The web service provider controls the usage of the service provided via 
the ISP’s network by having the access points delegate payment credentials to each of 
the clients. In this manner, the service payment can be charged either to the client or to 
the web service provider. The ISP, using the same transaction information, charges the 
site providing the web service. The web service itself may charge the user at the same 
or even a higher rate for the DoS protection and possibly for other Internet commodities 
(bandwidth, time etc.) using the data presented by the access points. The overall system 
is presented in Figure 4. 



3.2 System Operation 

We now describe the steps involved in a client using the micropayment scheme in the 
context of WebSOS . For more details on WebSOS system operation, the reader is referred 
to [23]. 



Initialization - System setup. When a WebSOS node is informed that it will act as a 
secret servlet for a site (and after verifying the authenticity of the request, by verifying 
the certificate received during the SSL exchange), it computes the key k for a number of 
well-known consistent hash functions, based on the target site’s network address. Each 
of these keys will identify a number of overlay nodes that will act as beacons for that 
web server. 

Having identified the beacons, the servlets or the target will contact them, notifying 
them of the servlets’ association with a particular target. Beacons will store this infor- 
mation and use it to answer the routing queries of the access points who want to connect 
to the target. By providing only the beacon with the identity of the secret servlet, traffic 
can be delivered from any firewall to the target by traveling across the overlay to the 
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Fig. 4. Pay-per-use DoS protection system operation overview. The user is connected to an access 
point that in turn authenticates the user credentials and issues an X.509 certificate and a signed 
proxylet that allows the user to connect securely to the web service for a limited amount time. 



beacon, then from the beacon to the secret servlet, and finally from the secret servlet, 
through the filtering router, to the target. 

Since the standard EAP protocol is used, it is possible to use any or all the EAP sub- 
protocols. However, since neither EAP or EAPoL provide any cryptographic protection 
themselves, the security of the system depends on the security of the underlying network 
and on the properties of the EAP sub-protocol. Thus, the risks and the protections must 
be matched to provide the desired level of security. 



Buying OTP coins. Whenever a new client host wants to access a service that the ISP 
protects from DoS attacks, the access point attempts to run the EAPoL protocol with 
the client. The status of the client is kept unauthenticated as long as the client fails to 
authenticate through EAPoL. In our case, we provide unauthenticated clients limited 
access so that they can buy OTP coins, used for the actual EAPoL level authentication 
(see below). 



Using OTP coins. Once the Client has acquired a set of OTP coins, it runs the standard 
EAPoL protocol towards the local access point. The protocol run is illustrated in Figure 4. 

Upon connection, the access point requests a user identifier from the client. The client 
answers with a string that identifies the microcheck used for buying the OTP coins, and 
the web service the coins where bought for. This allows the access point to contact 
the correct back-end authenticator, the web service provider (Target). The microcheck 
fingerprint identifies the relevant unused OTP coin pile. 

Once the back-end authenticator receives the identity response, it checks the OTP 
coin pile and sends an OPIE request, requesting for the next unused OPIE password. 
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i.e., an OTP coin. The Client responds with the next unused coin, //, + 1 . The back-end 
authenticator checks the coin, records it as used, and replies with an EAP SUCCESS 
message. As the access point receives the EAP SUCCESS message from the back-end 
authenticator, it changes the status of the client into authenticated, and passes the message 
to the client. Shortly before the OTP coin is used up, the back-end authenticator sends 
a new OPIE request and a GTT to the client. 

For the client to continue, it has to reply with the next OTP coin, and the user 
must answer correctly the CAPTCHA challenge. This gives us the ability to have a 
strong protection against malicious code, such as a worm or a zombie process, using 
a user’s micropayment wallet. The lifetime of a coin can be easily configured by the 
service provider. We expect to prompt a user with a CAPTCHA challenge every 30 to 
45 minutes, depending on the service. 

On the other hand, if the client does not want to continue access for any reason, he 
simply does not respond to the request. Thus, if the client goes off-line, the access point 
automatically changes the status of the client’s address into unauthenticated once the 
coin has been used up. 

The access point then issues a short-lived X.509 [6] certificate. This certificate is 
signed by the ISP operating the overlay, and authorizes the holder to access the web 
service that was paid for by the coin. The overlay securely proxies all traffic from the 
source to the target via one of the beacons. The access point (and all subsequent hops on 
the overlay) can proxy the HTTP request to an appropriate beacon in a distributed fashion 
using Chord, by applying the appropriate hash function(s) to the target’s IP address to 
identify the next hop on the overlay. 

This scheme is robust against DoS attacks because if an access point is attacked, the 
confirmed source point can simply choose an alternate access point to enter the overlay. 
Any overlay node can provide all different required functionalities (access point, Chord 
routing, beacon, secret servlet). If a node within the overlay is attacked, the node simply 
exits the overlay and the Chord service self-heals, providing new paths over the re-formed 
overlay to (potentially new sets of) beacons. Furthermore, no node is more important or 
sensitive than others — even beacons can be attacked and are allowed to fail. Finally, if 
a secret servlet’s identity is discovered and the servlet is targeted as an attack point, or 
attacks arrive at the target with the source IP address of some secret servlet, the target 
can choose an alternate set of secret servlets. 

3.3 Experimental Evaluation - Latency Results 

One of the main concerns of people using DoS systems is the impact of the latency 
overhead to the end users. Here we include some of the experimental results of WebSOS 
[23] that show that the end to end latency increases by a factor of two, as shown in 
Figure 5. 

To complete the overhead analysis we measured the number of public key veri- 
fications an access point can perform, which indicates how many microchecks it can 
validate in unit time. We used a 3 GHz Pentium4 processor machine running Linux 
with the OpenSSL V 0.9.7c library for the measurements. The contribution of the mi- 
cropayment system to the overall system latency overhead is minimal, even when we 
issue 1024-bit RSA certificates for the client credentials, as shown in Table 1. These 
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Fig. 5. WebSOS Latency overhead for different SSL-enabled services when using the shortcut 
routing mechanism 



measurements show that the impact of the user verification process on the access points 
is minimal. 



Table 1 . Signing and verification times for 1024-bit RSA keys. 



Sign 


Verify 


Sig/sec 


Ver/sec 


0.0037 sec 


0.0002 sec 


270.0 


5055.9 



4 Related Work 

Considerable research has been devoted to the problem of network denial of service, 
with most of the effort focusing on tracing the sources of malicious attacks, filtering out 
attack traffic at the edges, and filtering inside the network itself. 

Methods for tracking down the sources of malicious attacks (e.g., [9,29,12] generally 
require that routers mark packets or that they “remember” whether particular packets 
(or flows) have been seen in the recent past. Their primary use is in identifying the real 
sources of attacks involving spoofed traffic ( i.e traffic purporting to originate from an 
IP address different from that of the real source). As a value proposition, these mecha- 
nisms represent the worst approach for ISPs, since there is no way of quantifying their 
usefulness. 

A variant of the packet marking approaches creates probabilistically unique path- 
marks on packets without requiring router coordination; end-hosts or firewalls can then 
easily filter out packets belonging to a path that exhibits anomalous behavior [34]. 
Although this approach avoids many of the limitations of the pure marking schemes, 
it requires that core routers “touch” packets (rather than simply switch them). Again, 
however, it is unclear how ISPs can charge for such a service. 
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Methods that filter at the edges are on the one hand attractive, since they require no 
action on the part of the ISP, but also (currently) the least successful in defending against 
DoS attacks, since they require wide deployment (particularly for mechanisms filtering 
at the sources of attacks). For example, systems that examine network traffic for known 
attack patterns or statistical anomalies in traffic patterns ( e.g ., [28]) can be defeated 
by changing the attack pattern and masking the anomalies that are sought by the filter. 
The D-WARD system [28] monitors outgoing traffic from a given source network and 
attempts to identify attack traffic by comparing against models of reasonable congestion 
control behavior. The amount of throttling on suspicious traffic is proportional to its 
deviation from the expected behavior, as specified by the model. An extension of D- 
WARD, COSSACK [25], allows participating agents to exchange information about 
observed traffic. 

An approach that uses BGP to propagate source addresses that can be used for 
filtering out source-spoofed packets inside the Internet core [26] places undue burden on 
the core and is useful only in weeding out spoofed packets; unfortunately, the majority 
of DDoS attacks do not use spoofed packets. [20] proposes using Class-Based Queuing 
on a web load-balancer to identify misbehaving IP addresses and place them in lower 
priority queues. However, many of the DDoS attacks simply cause congestion to the 
web server’s access link. To combat that, the load-balancer would have to be placed 
closer to the network core. Such detailed filtering and especially state-management on a 
per-source-IP address basis can have performance implications at such high speeds. In 
[14], the authors use a combination of techniques that examine packet contents, transient 
ramp-up behavior and spectral analysis to determine whether an attack is single- or multi- 
sourced, which would help focus the efforts of a hypothetical anti-DoS mechanism. 
Another interesting approach is that of [18], which proposes an IP hop-count-based 
filter to weed out spoofed packets. The rationale is that most such packets will not have a 
hop-count (TTL) field consistent with the IP addresses being spoofed. In practice, most 
DoS attacks are launched from subverted hosts. 

Mechanisms involving filtering inside the network itself (i.e., inside an ISP’s infras- 
tructure), such as Pushback [15] require ISP investment (in infrastructure, man power, 
and operational support). In Pushback, routers push filter towards the sources of an at- 
tack, based on the ingress traffic they observe on their various interfaces. Unfortunately, 
it is unclear how an ISP can charge for such a service; one possibility is as a subscription 
service, or measuring the number of times a client site invokes the service. 

Another approach to mitigating DoS attacks against information carriers is to mas- 
sively replicate the content being secured around the entire network. To prevent access to 
the replicated information, an attacker must attack all replication points throughout the 
entire network — a task that is considerably more difficult than attacking a small number 
of, often co-located, servers. Replication is a promising means to preserve information 
that is relatively static, such as news articles. However, there are several reasons why 
replication is not always an ideal solution. For instance, the information may require 
frequent updates complicating large-scale coherency (especially during DoS attacks), or 
may be dynamic by its very nature (e.g., a live web-cast). Another concern is the secu- 
rity of the stored information: engineering a highly-replicated solution without leaks of 
information is a challenging endeavor. 
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An extension of the ideas of SOS [22,23] appears in [1]. There, the two main facets of 
the SOS architecture: filtering and overlay routing, are explored separately, and several 
alternative mechanisms are considered. It is observed that in some cases, the various 
security properties offered by SOS can still be maintained using mechanisms that are 
simpler and more predictable. However, some second-order properties, such as the ability 
to rapidly reconfigure the architecture in anticipation of or in reaction to a breach of the 
filtering identity are compromised. In most other respects, the two approaches are very 
similar. 

The NetBouncer project [32] considers the use of client-legitimacy tests for filtering 
attack traffic. Such tests include packet-validity tests (e.g., source address validation), 
flow-behavior analysis, and application-specific tests, including Graphic Turing Tests. 
However, since their solution is end-point based, it is susceptible to large link-congestion 
attacks. 

[3] examines several different DDoS mitigation technologies and their interactions. 
Among their conclusions, they mention that requiring the clients to do some work, e.g., 
[10], can be an effective countermeasure, provided the attacker does not have too many 
resources compared to the defender. Gligor [11] disagrees with this conclusion, noting 
that computational client puzzles cannot provide hard bounds (guarantees) on client wait 
time. 

Although we use a particular micropayment system [5], other schemes can also be 
used, including digital cash systems {e.g., [7]), scrip-based micropayments {e.g., [27]), 
and offline micropayment protocols {e.g., [31]). MiniPay [13] is particularly attractive, 
since it was developed primarily for use with a web browser, with considerable effort 
gone into the user interface aspect. Risk management is implemented as a decision 
to perform an online check with the billing server based on the total spending by the 
customer that day, and some parameter set by the merchant. We believe that general 
transactional payment schemes {e.g., [8]) may prove too heavy-weight for our purposes. 



5 Conclusion 



We present the first pay-friendly DoS protection system that furnishes ISPs with a better 
value proposition for deploying anti-DoS systems: a way to turn DoS protection into 
a commodity. Our pay-per-use system is based on the WebSOS DoS protection archi- 
tecture, extended to include OTPchecks, a light-weight and flexible pay-per-use micro- 
payment scheme. Its hardware and software deployment can be done without changing 
any of the current ISP infrastructure. The initial investment and maintenance cost can 
regulated and scaled depending on the actual services protected. 

From the end user perspective, the system acts almost transparently: no modifications 
are required in the browsers since we are taking advantage of browser extensibility. 
Moreover, the target site offering the web service can have a more fine-grained control 
of the users that it serves without altering any of its current servers’ protocols. Finally, 
we allow a web service to charge its clients for the DoS protection service or provide 
the service as an added value feature. 
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Abstract. Motivated by the conflict between authenticity and privacy 
in the digital signature, the notion of limited verifier signature was in- 
troduced [1] . The signature can be verified by a limited verifier, who will 
try to preserve the privacy of the signer if the signer follows some spec- 
ified rules. Also, the limited verifier can provide a proof to convince a 
judge that the signer has indeed generated the signature if he violated 
the predetermined rule. However, the judge cannot transfer this proof to 
convince any other party. Also, the limited verifier signature should be 
converted into an ordinary one for public verification if required. 

In this paper, we first present the precise definition and clear security 
notions for (convertible) limited verifier signature, and then propose two 
efficient (convertible) limited verifier signature schemes from bilinear 
pairings. Our schemes were proved to achieve the desired security 
notions under the random oracle model. 

Keywords: Undeniable signature, Designated verifier signature, Lim- 
ited verifier signature, Bilinear pairings. 



1 Introduction 

Undeniable signature, introduced by Chaum and van Antwerpen [10], is a kind 
of digital signature which cannot be verified without interacting with the signer. 
It is useful in a case where the validity of a signature must not be verified 
universally. For example, a software vendor might embed his signature into his 
products and only allow the paying customers to verify the authentication of the 
products. If the vendor signed a message (product), he must provide some proofs 
to convince the customer of the fact. Also, these proofs must be non-transferable, 
i.e., once a verifier (customer) is convinced that the vendor signed (or did not 
sign) the message, he cannot transfer these proofs to convince any third party. 
After the initial work of Chaum and van Antwerpen, several undeniable signature 
schemes were proposed [9,17,15,22], Also, Boyar et al. [5] introduced the notion 
of convertible undeniable signature. 
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In some cases, it will be a disadvantage that the signature can be verified only 
with the cooperation of the signer. If the signer should be unavailable, or should 
refuse to cooperate, then the recipient cannot make use of the signature. This 
facilitates the concept of “designated confirmer signature” [8]. The designated 
confirmer can confirm the signature even without the cooperation of the signer 
when a dispute occurs. 

In some applications, it is important for the signer to decide not only when 
but also by whom his signatures can be verified due to the blackmailing [13, 
20] and mafia [12] attacks. For example, the voting center presents a proof to 
convince a certain voter that his vote was counted while without letting him 
to convince others ( e.g ., a coercer) of his vote, which is important to design a 
receipt-free electronic voting scheme preventing vote buying and coercion. This 
is the motivation of the concept of “designated verifier signature” [21]. The 
designated verifier will trust the signer indeed signed a message with a proof of 
the signer. However, he cannot present the proof to convince any third party 
because he is fully capable of generating the same proof by himself. 

Recently, motivated by privacy issues associated with dissemination of signed 
digital certificate, Steinfeld et al. [26] introduced the conception of “universal 
designated verifier signature”, which can be viewed as an extended notion of 
designated verifier signature. Universal designated verifier signature allows any 
holder of the signature (not necessarily the signer) to designate the signature 
to any desired designated verifier. The verifier can be convinced that the signer 
indeed generated the signature, but cannot transfer the proof to convince any 
third party. For example, a user Alice is issued a signed certificate by the CA. 
When Alice wishes to send her certificate to a verifier Bob, she uses Bob’s public 
key to transfer the CA’s signature into a universal designated verifier signature 
to Bob. Bob can verifier the signature with CA’s public key but is unable to 
use this designated signature to convince any third party that the certificate is 
issued by the CA, even if Bob is willing to reveal his secret key to the third 
party. 

In some applications, it is also important for the recipient to decide when 
and whom the signer’s signature should be verified. For example, a credit com- 
pany will try his best to preserve the client’s privacy in order to get his trust, 
provided that the client obeys the rules of the company. So, it is sufficient for 
the company only to be convinced the validity of the client’s signature for his 
dishonorable message such as a bill. Furthermore, the company will preserve the 
client’s privacy if he pays the bill in a certain time. However, if the client violated 
the rules, the company can provide a proof to convince a Judge of the client’s 
treachery while the Judge cannot transfer the proof to convince any other third 
party. 

It is obvious that undeniable signature and designated verifier signature are 
unsuitable for these situations. In the undeniable signatures, the signature can 
be verified only the cooperation of the signer. In the designated verifier signature, 
the designated verifier can never transfer the signature or the proof to convince 
any third party even he would like to reveal his secret key. This is because the 
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designated verifier is fully capable to generate a “signature” himself which is 
indistinguishable from the real signature of the signer. 

Araki et al. [1] introduced the concept of “limited verifier signature” to solve 
these problems. The limited verifier signature can only be verified by a limited 
verifier, who will try to preserve the signer’s privacy (especially some dishonor- 
able message) unless the signer violated some rules. When a later dispute occurs, 
the limited verifier can convince a third party, usually a Judge, that the signer 
indeed generated a signature. We argue that the goal of the limited verifier is 
not to make the signature to be verified publicly, but force the signer to obey 
the rules. In some cases, the signer may not intentionally violate the rules and 
the limited verifier should give the signer some chances to correct his fault. 
Therefore, the Judge should not transfer this proof to convince any other party. 

In some situations, the signer’s privacy is closely related to the recipient’s 
privacy. For example, a spy, Carol, has a certificate with a signature of the 
President, which can be verified by Carol herself. Also, Carol can provide a proof 
to prove her real identity to a third party in case of an emergency. However, the 
signature and the proof cannot be transferred by the third party to convince any 
other party in order to ensure Carol’s safety. Therefore, limited verifier signature 
can be used in any cases that the signer’s signature should be protected by the 
recipient. 

Some official documents, which is treated as limited verifier signature, should 
be verified by everyone after a period of time if necessary. This is the motivation 
of “convertible limited verifier signatures”, also introduced by Araki et al. [1]. 
Convertible limited verifier signatures enable the limited verifier to convert the 
signature into an ordinary one for public verification. 1 

In the convertible limited verifier signature [1], the conversion of the sig- 
nature requires the cooperation of the original signer, who must release some 
information. This might not be workable if the original signer is unwilling or in- 
convenient to cooperate. Furthermore, Zhang and Kim [28] proposed a universal 
forgery attack on this scheme. Wu et al. [24] proposed a convertible authenti- 
cated encryption scheme, which overcomes some disadvantages of Araki et aids 
scheme. However, if the recipient publishes the message and signature together, 
anyone can be convinced that the signer generated the signature. It does not 
satisfy the non-transferability. There seems no secure convertible limited verifier 
signature scheme to the best of our knowledge. 

In this paper, we first present the precise definition and clear security no- 
tions for (convertible) limited verifier signature. Based on the power of different 
adversaries, we then propose two efficient (convertible) limited verifier signature 
schemes from bilinear pairings. Moreover, the conversion of the proposed limited 
verifier signature schemes does not need the cooperation of the original signer. 

The rest of the paper is organized as follows: Some preliminary works are 
given in Section 2. In Section 3, the precise definition and notions of security for 

1 Convertible limited verifier signature is different from the notion of converted unde- 
niable signature, where only the signer can release some information to convert his 
originally undeniable signature into an ordinary one. 
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limited verifier signature are presented. Our efficient limited verifier signature 
schemes from bilinear pairings are given in Section 4. In Section 5, the security 
and efficiency analysis of our schemes are given. Finally, conclusions will be made 
in Section 6. 

2 Preliminary Works 

In this section, we will briefly describe the basic definition and properties of 
bilinear pairings and gap Diffie-Hellman group. 



2.1 Bilinear Pairings 

Let G i be a cyclic additive group generated by P, whose order is a prime q , and 
Gi be a cyclic multiplicative group of the same order q. Let a and b be elements 
of Z*. We assume that the discrete logarithm problems (DLP) in both G i and 
G 2 are hard. A bilinear pairing is a map e : G\ x G\ — > G 2 with the following 
properties: 

1. Bilinear: e(aP, bQ) = e(P, Q) ab . 

2. Non-degenerate: There exists P and Q £ G\ such that e(P, Q ) ^ 1. 

3. Computable: There is an efficient algorithm to compute e(P, Q) for all P, Q £ 
G\. 



2.2 Gap Diffle- Heilman Group 

Let G\ be a cyclic additive group generated by P, whose order is a prime q. 
Assume that the inversion and multiplication in G\ can be computed efficiently. 
We introduce the following problems in Gi. 

1. Discrete Logarithm Problem (DLP): Given two elements P and Q , to find 
an integer n € Z* , such that Q = nP whenever such an integer exists. 

2. Computation Diffie-Hellman Problem (CDHP): Given P, aP, bP for a,b £ 
Z*, to compute abP. 

3. Decision Diffie-Hellman Problem (DDHP): Given P,aP,bP,cP for a, &, c £ 
Z *, to decide whether c = ab mod q. 

4. Bilinear Diffie-Hellman Problem (BDHP): Given P,aP,bP,cP for a, 6, c £ 
Z*, to compute W = e(P, P) abc £ G 2 . 

We call G\ a gap Diffie-Hellman group if DDHP can be solved in polyno- 
mial time but there is no polynomial time algorithm to solve CDHP with non- 
negligible probability. Such group can be found in supersingular elliptic curve 
or lryperelliptic curve over finite field, and the bilinear pairings can be derived 
from the Weil or Tate pairings. For more details, see [3,7,14,19]. 




Limited Verifier Signature from Bilinear Pairings 



139 



3 Limited Verifier Signature (LVS) Scheme 

3.1 Precise Definition 

The limited verifier signature scheme involves a signer, a limited verifier (the 
designated recipient of the signature) and a certain third party (the Judge). It 
consists of six algorithms and a specific protocol. 

— System Parameters Generation: on input a security parameter k, out- 
puts the common system parameters SP. 

— Key Generation: on input the common system parameters SP, outputs a 
secret/public key pair ( sk,pk ) for each user. 

— Limited Verifier Signing: on input the key pair ( sk s ,pk s ) of the signer, 
message m and the public key pk v of the limited verifier, outputs a limited 
verifier signature a. 

— Limited Verifier Verification: on input the key pair ( sk v ,pk v ) of the lim- 
ited verifier, the public key pk s of the signer, and a limited verifier signature 
cr, outputs a verification decision b G {0, 1}. If b = 1, the verifier accepts the 
signature. 

— Confirmation Protocol: a protocol between the limited verifier and a third 
party such as a Judge. The limited verifier provides a proof to convince the 
third party that a signature is indeed generated by a certain signer while 
the third party cannot transfer this proof to convince any other party even 
he can always eavesdrop the information between the signer and the limited 
verifier. 

— Convertible Limited Verifier Signing: on input the secret key sk v of 

the limited verifier, the public key pk s of the signer, the message m and a 
limited verifier signature a , outputs a convertible limited verifier signature 
a'. 

— Public Verification: on input the public key pk v of the limited verifier, the 
public key pk s of the signer, the message m and a convertible limited verifier 
signature a ' , outputs a verification decision b € {0, 1}. If b = 1, anyone 
can be convinced that the signer indeed generated the signature a' for the 
message m. 



3.2 Adversarial Model 

The only assumption in the LVS scheme is that the limited verifier will try 
his best to preserve the signer’s privacy unless the signer violates some rules 
or an emergency occurs. But the limited verifier should never be able to forge 
a signature of the signer to frame him. Therefore, “unforgeability” is the basic 
cryptographic requirement of LVS scheme. There are three kind of forgers in LVS 
scheme: “limited verifier” , “outsiders” and “colluders” . In the proposed schemes, 
we only consider the strongest adversarial model for unforgeability: an adversary 
can collude with the limited verifier. 
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On the other hand, an adversary should not be able to forge a proof to 
convince any other party that the signer indeed generated a signature. “Non- 
transferability” is another basic cryptographic requirement in LVS scheme. Sim- 
ilarly, we think the adversary can collude with the Judge. Also, we suppose the 
adversary can also eavesdrop all the information between the limited verifier 
and signer. This is the strongest adversarial model for non-transferability. In 
this case, the adversary should not collude with the limited verifier anymore 
because the limited verifier wants to convince only the Judge of the fact. 



3.3 Security Requirements 
3.3.1 Unforgeability 

Similar to universal designated verifier signature scheme, there are two type of 
unforgeability in LVS scheme. The first is identical to the usual existential un- 
forgeability notion under the chosen message attack. This prevents an adversary 
to frame the signer by “generating” a signature of the signer. The second requires 
that it is difficult for an adversary (usually the limited verifier) to forge a proof, 
which can be used to convince a third party (usually a Judge) that the signer 
generated a signature for a message. Because LVS scheme should be converted 
into an ordinary one for public verification when necessary, the limited verifier 
only forges a proof to frame a signer is meaningless even he can . 2 In this sense, 
we only consider the first unforgeability in LVS scheme. 

Definition 1. A LVS scheme is said to secure against an existential forgery 
for adaptive chosen message attack if no polynomial bounded adversary A win 
the following game with a non-negligible advantage. 

1. The challenger C runs the System Parameter Generation algorithm with a 
security parameter k and sends the system parameters SP to the adversary A. 

2. The limited verifier V runs the Key Generation algorithm to generate his key 
pair (pfcy,sfcy) an d publishes pky. Also, the adversary A is allowed to access 
the secret key sky. 

3. The adversary A performs a polynomial bounded number of queries to 
challenger C. 

4- Finally, the adversary A outputs a valid message-signature pair ( m,s ). We 
said that A wins the game if m is never queried by A in step 3. 



3.3.2 Non-transferability 

The property of non-transferability in LVS scheme can be automatically reduced 
from universal designated verifier signature scheme. 

2 This is different from universal designated verifier signature scheme, where it is 
enough for the third party to be convinced by such a proof. 
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Definition 2. Let P(V, J) be a protocol between the limited verifier V and a 
Judge J . The outputs of P(V, J) is a proof V presented by V which can convince 
J the truth of a statement 0. We said the proof is non-transferable if J is 
fully able to generate an indistinguishable proof V . In this case, no one can be 
convinced of the truth of a statement 0 even if J would like to reveal his secret 
key skj. 

4 Our Proposed LVS Schemes from Bilinear Pairings 

In this section, we propose two efficient LVS schemes from bilinear pairings 
based on the power of different adversaries. Furthermore, we present a general 
construction of LVS scheme. 

4.1 Our Scheme (I) 

— System Parameters Generation: Let Gi be a gap Diffie-Hellman group 
generated by P, whose order is a prime q , and G 2 be a cyclic multiplicative 
group of the same order q. A bilinear pairing is a map e : G\ x G\ — > G 2 . 
Define two cryptographic hash functions H 1 : {0, 1} Z — » G\, H 2 : G 2 — > Z q 
and h : {0, 1} 1 xG 2 Z q , where l denotes a bound on the message bit-length. 
The system parameters are SP = {G\,G 2 , e, q , P, Hi,H 2 ,h, l}. 

— Key Generation: The user U randomly chooses rjj Gr Z* as the secret 
key and computes the public key rjjP. 

— Limited Verifier Signing: Suppose Alice wants to sign the message m for 
Bob. She does as follows: 

• Randomly choose a point Q Gr G\ and compute c = e(Q,rAP)- 

• Compute s = Q — r^fcPi(m), where k = h(m , e(Q, P)). 

• Compute t = H 2 (e(rAQ,rBP))~ 1 s. 

The signature for message m is the pair S = (c, k, t). 

— Limited Verifier Verification: On receiving the limited verifier signature 
S, Bob computes: 

• s=H 2 (c rB )t. 

• d=e{s,P)e{Hi(jn),rAP) k - 

• Output “accept” if and only if k = h(m, d). 

— Confirmation Protocol: When Alice does not obey some rules, only Bob 
can provide a proof to convince a Judge that Alice indeed signed a message 
with a confirmation protocol. 3 However, the Judge cannot transfer this proof 
to convince any other party. 

• Bob computes a = e(s,rjP). 

• Bob sends (a,d) and the message m to Judge. 

• Let k = h(m,d). Judge computes l = ( d rj /a) k and accepts the proof 

if and only if l = e{H\{m), r^P) 1 '- 7 . 

3 Note that any adversary cannot compute s without the information of rs even he 
can eavesdrop all the information between Bob and Alice and Judge unless he can 
solve CDHP in G 2 - 
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Actually, l = e(rAHi(m),rjP), which is a universal designated verifier sig- 
nature for the message to [26]. Therefore, the Judge will be convinced that 
Alice signed the message while he cannot transfer this proof to convince any 
other party. 

We explain this in more details. The Judge can simulate Bob to generate an 
indistinguishable pair (a, d) for any message in as follows: 

• He randomly chooses an element d £ G 2 , and computes k = h(m,d). 

• He computes l = (e(Hi(m), taPY j - 

• He computes a = d rj /l k , and outputs (a,d). 

— Convertible Limited Verifier Signing: In some situations, the limited 
verifier signature should be converted into an ordinary signature for public 
verification. In Araiki et aids scheme, the conversion of the signature requires 
the cooperation of the original signer. However, it might be unworkable if 
the signer is unwilling or inconvenient to cooperate. In our scheme, both the 
signer and limited verifier can convert a limited verifier signature into an 
ordinary one: 

• Alice (or Bob) publishes the message m and the pair (k,s). 

— Public Verification: Anyone can be convinced that the signer indeed gen- 
erated the the signature for the message to: 

• The verifier computes d = e(s, P)e(Hi(m),rAP) k ■ 

• Output “accept” if and only if k = h(m, d). 



4.2 Our Scheme (II) 

In some situations, the message to, e.g., an official document, also should be 
confidential. Signcryption, firstly introduced by Zheng [29], provides simultane- 
ously both message confidentiality and unforgeablity at a lower computational 
and communication overhead compare to Encrypt- and- Sign method. Signcryp- 
tion protocol usually should satisfy the property of public verifiability, i.e., if 
a recipient Bob can recover the signer Alice’s signature, anyone can verify the 
signature based on a given signature scheme. 4 However, in the limited verifier 
signcryption algorithm, the signature can only be verified by himself even af- 
ter the recipient recovered the message-signature pair. Also, it should satisfy the 
property of non-transferability, i.e., the recipient can provide a proof to convince 
a third party that the signer generated a signature while the third party cannot 
transfer the proof to convince any other party. Therefore, the signature on the 
message must be invisible in the ciphertext because the adversary can eavesdrop 
all the information between the recipient and others. If the adversary knows the 
signature, the message and the proof, he can convince any party that the signer 
indeed generated the signature. We will explain this later in more details. 

We construct limited verifier signature protocol based on “ Sign-then - 
Encrypt ” methodology [6]. Without loss of generality, let Alice is the signer 
and Bob is the recipient (limited verifier). 

Shin et at. [25] defined this “SIG- verifiability” . 
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— System Parameters Generation: Let Gi be a gap Diffie-Hellman group 
generated by P, whose order is a prime q , and G 2 be a cyclic multiplicative 
group of the same order q. A bilinear pairing is a map e : Gi x Gi — > G 2 . 
Define five cryptographic hash functions H 1 : {0,1}* —> G\, H 2 : G 2 —> Z q , 
H 3 : Z q — ^ Gi, H 4 : Gi — » {0, 1} ; , and h : {0,1}* x Z q — > Z q , where 
l denotes a bound on the message bit-length. The system parameters are 
SP = (Gi, G 2 , e, q, P, H u H 2 , H a , H A , h, l}. 

— Key Generation: The user U randomly chooses rjj Gr Z* as his secret 
key and computes the public key rjjP- 

— Limited Verifier Signing (Signcryption): Suppose Alice wants to sign 
the message m for Bob. She does as follows: 

• Randomly choose an integer c Gr Z q and compute S = cr A H\{rn). 

• Compute k = h(m,c). 

• Compute U = H 2 (e{rAP,rBP) k ) © c. 

• Compute V = H 3 (c) © S. 

• Compute W = Hi(S) © in. 

The signature for message m is the ciphertext G = (kP, U, V, W). 

— Limited Verifier Verification (Unsigncryption): On receiving the lim- 
ited verifier signature G, Bob computes: 

• C = U ® H 2 (e{r A P,kP) rB ). 

• S = V®H 3 (c). 

• m = W ®H a {S). 

• Verify that kP = h(m,c)P. If not, output “reject”. 

• Output “accept” if and only if e(S,P) c 1 = e(Pi(m), r A P)- 

— Confirmation Protocol: Bob can convince a Judge that Alice indeed 
signed a message with the following confirmation protocol. 5 From the prop- 
erty of universal designated verifier signature, the Judge cannot transfer this 
proof to convince any other party. 

• Bob computes a = e(S,rjP) c 

• Bob sends a and the message m to Judge. 

• Judge outputs “accept” if and only if a = e(Hi(m), r A P) rj . 

Note that the Judge is fully able to generate the indistinguishable proof 
e(Hi(m),r A P) rj . Therefore, he cannot use this proof to convince any other 
party. 

— Convertible Limited Verifier Signing: Both the signer and limited ver- 
ifier can convert a limited verifier signature into an ordinary one: 

• Alice (or Bob) publishes the message m and the signature T = c~ 1 S. 

— Public Verification: Anyone can be convinced that the signer indeed gen- 
erated the the signature for the message m: 

• Outputs “accept” if and only if e{T,P) = e(Hi(m),r A P). 

5 Any adversary cannot compute c to recover without the information of rs 

even he can eavesdrop all the information between Bob and Alice and Judge unless 
he can solve BDHP in Gi. 
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4.3 Generalization 

Our Scheme (II) can be extended to design a general construction of (convertible) 
limited verifier signature. The signer generates a universal designated verifier 
signature s on the message in and then encrypts the concatenation of to and s 
with the limited verifier’s public key PK V by using a semantically secure prob- 
abilistic encryption algorithm ENC. The ciphertext C = ENCpif t ,(m||s) is the 
limited verifier signature for the message m. 

The limited verifier decrypts the ciphertext with his secret key and can then 
designate it to any Judge as in the universal designated verifier signature scheme. 
For public verification, the limited verifier (or the signer) publishes to and s, and 
anyone can be convinced that the signer generated the the signature s for the 
message to. 

Recently, Steinfeld et al. [27] extended standard Schnorr/RSA signatures 
into universal designated verifier signatures. Therefore, we can use the general 
construction to design (convertible) limited verifier signature scheme without 
pairings. 



5 Analysis of the Proposed Schemes 

5.1 Security 

Lemma 1. Under the strongest adversarial model, if an adversary A in scheme 
(I) can forge a valid signature ( m,c,k,t ) with the advantage e within time T, 
then he can forge the valid signature (to, c, k, s ) with the same advantage e within 
time T, and vice versa. 

Proof. Suppose the adversary A can forge a valid signature (to, c, k, t) with the 
advantage e within time T, then he can compute s = H 2 (c rB )t since he can 
access the secret key rp of the limited verifier Bob, i.e., he can forge the valid 
signature (?n,c, k,s) with the same advantage e within time T, and vice versa. 

□ 



Theorem 1. In the random oracle, if there exists an adversary A that can suc- 
ceed in an existential forgery against the proposed LVS scheme (I) with an ad- 
vantage e within a time T and when performing n queries on signature oracle 
and hash oracles h and Hi, then there exists an algorithm C can solve the CDHP 
in G\ with an advantage e' > e/n within a time T' < 84480 nT/e. 

Proof. Let P is a generator of G-\ , the following algorithm C can be used to 
compute abP for a randomly given triple (P, aP , bP) . Define the public key of 
the signer is aP. 

Randomly choose a € Z q , yt € Z q and ki € Z q for i = 1, 2, • • • , n. Denote by 
TOi the (partial) input of the i-tli query to h and H\. We show how the queries 
of A can be simulated. 

6 An anonymous reviewer suggested the general approach. 
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Choose an index r £ {1, 2, • • • , n} randomly. Define 

c, = e(x, P, aP) 



h(nii, e(xiP, P)) = h 






bP , if i = r 

ViP, if * 7^ r 



_ f “Fail”, if i = r 

Sz ~ \ XiP - yiki(aP), if i/r 

Suppose the output of A be (to, c, fc,s). If to = m r and ( m,c,k,s ) is valid, 
output ( m,c,k,s ). Otherwise, output “Fail” and halt. 

By replays of with the same random tape but different choices of oracle h, as 
done in the Forking Lemma [23], we can obtain two valid signatures (to, c, k , s) 
and ( m,c,k',s ' ) with respect to different hash oracles h and h! . Note that s = 
Q — akH 1 (m) and s' = Q — ak'Hi(m), we have abP = (s — s')/(k' — k). 

Because h and H\ are the random oracles, the adversary A cannot distinguish 
the simulation of algorithm C from the real signer. Also, since r is independently 
and randomly chosen, the success of probability of C is e/n. The total running 
time T' of algorithm C is equal to the running time of the Forking Lemma [23] 
which is bound by 84480nT/e. □ 

In our scheme (II), the proposed signcryption algorithm is based on “Sign- 
then-Encrypt” methodology, which can be viewed as the standard version of 
Boyen’s ID-based signcryption algorithm [6]. Therefore, we have 

Theorem 2. In the random oracle, the proposed signcryption algorithm in our 
scheme (II) is semantically secure against adaptively chosen ciphertext attacks 
and unforgeable secure against adaptively chosen message attacks based on the 
assumption BDHP is intractable. 

Theorem 3. Our proposed LVS schemes are both satisfy the property of non- 
transferability based on the assumption of BDHP is intractable. 

Proof. Firstly, the third party can be convinced by the proof that the signer 
indeed generate a signature. From the result of [26], we know that it is impossible 
for the limited verifier to forge a universal designated verifier signature to cheat 
the Judge. 

Secondly, the Judge cannot transfer the proof to convince any other party. 
In scheme (I), the proof is the pair (a,d). We have proved that the Judge is 
fully able to generate an indistinguishable pair. In scheme (II), the proof is just 
a universal designated verifier signature. Therefore, the non-transferability of 
both schemes is obvious. □ 
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5.2 Efficiency 

We compare the efficiency of our schemes with that of Araki et al.’s scheme. In 
Table 1, we denote V the pairings operation, A4 the point scalar multiplication 
in G i, £ exponentiation in Gi and 1Z reversion in Z q . We ignore other operations 
such as hash in all schemes. 



Table 1. Comparison of computation cost 





Araki’s scheme 


Our scheme (I) 


Our scheme (II) 


Signing 


If + 2 n 


2ft + 3A4 + 1ft 


1ft + 2M 


Verification 


2 S+1TZ 


2V + 1M + If 


2V + If + 171 


Confirmation 


Ilf + 1ft 


2ft + 2f + 21Z 


2ft + 2f 


Denial 


24f 


/ 


/ 


Convertion 


3 s + m 


2V + If 


2V 



In Araki et aV s scheme, both of the confirmation and denial protocol need 
rounds of interactive communication. However, the confirmation protocol in our 
schemes is performed in a non-interactive manner. Moreover, our scheme does 
not require the denial protocol. The Judge can be convinced by a proof that 
the signer indeed generated a signature. Because the proposed scheme can be 
converted into an ordinary one for public verification when necessary, the signer 
cannot repudiate his signature. 

Suppose the length of a point in G\ is \q\, and the length of an element of 
G 2 and the message m is \p\. Table 2 presents the comparison of communication 
cost between Araki et al.'s scheme and ours. 



Table 2. Comparison of communication cost 





Araki’s scheme 


Our scheme (I) 


Our scheme (II) 


Signing 


l\p\ + l\q\ 


2\p\ + 2\q\ 


l|p| +3|g| 


Confirmation 


3|p| +3|g| 


3|p| 


2N 


Denial 


6|p| +6|gj 


/ 


/ 


Convertion 


2\p\ + l\q\ 


l\p\ + 2\q\ 


IN + %l 



6 Conclusions 

The ordinary digital signature provides the functions of integration, authenti- 
cation, and non-repudiation for the signed message. Anyone can verify the sig- 
nature with the signer’s public key. However, it is unnecessary for anyone to be 
convinced the validity of the signature in some situations. It is sufficient for a 
designated recipient, who will try to preserve the signer’s privacy if the signer 
follow some specified rules, to verify the signature. Limited verifier signature was 
introduced to solve this problem. If the signer violated the rules, the designated 
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recipient (namely, limited verifier) can provide a proof to convince a judge that 
the signer indeed generated the signature for the message. Also, the limited ver- 
ifier can also convert the signature into an ordinary one for public verification 
when necessary. In this paper, we firstly present the precise definition and clear 
security notions for (convertible) limited verifier signature, and then propose 
two new (convertible) limited verifier signature schemes from bilinear pairings. 
Moreover, we proved that our schemes achieved the desired security notions in 
the random oracle. 

In our schemes, the confirmation protocol does not need the interactive com- 
munication and the conversion does not need the cooperation of the original 
signer. Therefore, they are much efficient than previous scheme. 
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Abstract. Ring signatures allow a signer in an ad-hoc group to au- 
thenticate a message on behalf of the group without revealing which 
member actually produced the signature [8]. Recently, this notion has 
been extended by Naor by introducing Deniable Ring Authentication : 
it is possible to convince a verifier that a member of an ad-hoc sub- 
set of participants is authenticating a message without revealing which 
member has issued the signature, and the verifier V cannot convince any 
third party that message m was indeed authenticated. Unfortunately, 
the scheme proposed in [7] requires an interactive protocol, which re- 
quires an assumption that an anonymous routing channel (eg. MIX-net) 
exists. Having this restriction, the primitive cannot be used in practice 
without the existence of the anonymous routing channel. In this paper, 
we introduce a non-interactive version of deniable ring authentication. 
This work proposes a deniable ring authentication without any interac- 
tive protocol required (cf. [7]). We present a generic construction that 
can convert any existing ring signature schemes to deniable ring authen- 
tication schemes. Our generic construction combines any ring signature 
scheme with an ID-based chameleon hash function. We also present three 
ID-based chameleon hash functions and show that our schemes outper- 
form the construction proposed in [2]. 



1 Introduction 

A ring signature scheme [8] can be used to convince a verifier that a document 
is legally signed by one of the n possible independent signers without revealing 
the identity of the signer. This signature scheme can be seen as a simple group 
signature scheme that has no group manager who can revoke the identity of the 
signer in the case of forgery. To produce a ring signature, the signer constructs 
an ad-hoc collection of signers that includes himself, and computes the signature 
entirely by himself using only secret key and the others’ public keys. This prim- 
itive is formalized by Rivest, Shamir and Tauman in [8], and the construction 
presented in [8] is based on RSA. 

In [1], Abe, Olrkubo and Suzuki presented a scheme to use public-keys of 
several different signature schemes (that are based on discrete logarithm problem 
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and/or factorization) to generate a ring signature scheme (that they call 1-out-of- 
n signature scheme). Unlike the previous construction, their contribution allows 
a mixture of DL-type keys and RSA-type keys in the ring signature construction. 

Recently, Naor extended this work to introduce a new primitive called Deni- 
able Ring Authentication [7]. Deniable Ring Authentication allows a signer, who 
forms an ad-hoc collection of participants, to convince a single verifier, V, that 
a member of an ad-hoc group is authenticating a message m, without revealing 
which one. Moreover, the verifier V cannot convince any third party that mes- 
sage m was indeed authenticated. This is done by showing that the verifier V 
could have produced such signature by himself, without any interaction with the 
signers. 

The primitive introduced in [7] is particularly useful in the case where the 
signer would like to designate his authenticated message to a particular verifier. 
The construction provided in [7] is based on the assumption that users have 
public-keys of some good encryption schemes. However, the drawbacks of the 
presented scheme are as follows. Firstly, the scheme requires an interactive zero 
knowledge protocol. It is assumed that an anonymous channel routing (eg. MIX- 
net) exists and can be used. Secondly, the message size is longer compared to a 
normal ring signature. This is due to the interactivity required in the protocol. 

In this paper, we provide a generic construction for Deniable Ring Authenti- 
cation that does not require any interaction. We provide a generic construction 
for Deniable Ring Authentication that is non-interactive. By removing the inter- 
activity of the protocol, the primitive can be used more widely in practice (cf. 

[7])- 



1.1 Related Work 

In [8], the definition of ring signatures was formalized and an efficient scheme 
based on RSA was proposed. A ring signature scheme is based on trapdoor 
one-way permutations and an ideal block cipher that is regarded as a perfectly 
random permutation. A ring signature scheme allows a signer who knows at 
least one secret information (or trapdoor information) to produce a sequence 
of n random permutations and form them into a ring. This signature can be 
used to convince any third party that one of the participants in the group (who 
knows the trapdoor information) has authenticated the message on behalf of the 
group. The authentication provides signer ambiguity , in the sense that no one 
can identify who has actually signed the message. 

In [1], a method to construct a ring signature from different types of public 
keys, such as these for integer factoring based schemes and discrete log based 
schemes, was proposed. The proposed scheme is more efficient than [8]. The 
formal security definition of a ring signature is also defined in [1]. 

Dwork, Naor and Salrai proposed deniable authentication in [5]. Deniable 
authentication provides a system that addresses the deniability aspects, i.e. the 
protocol does not leave any paper trail for the authentication of the message. 
This work allows a single signer to achieve this property. 
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In [7], the notion of ring signatures was combined with deniable autlrentica- 
ton [5]. The result is called Deniable Ring Authentication that allows a signer to 
authenticate a message m on behalf of an ad hoc collection of users and to con- 
vince a verifier that this authentication is done correctly. Moreover, the verifier 
cannot convince any third party that the message m was indeed authenticated. 
There is no ‘paper trail’ of the conversation, other than what could be produced 
by the verifier alone, as in zero-knowledge [7]. However, the verification is done 
interactively, and hence, the requirement of having an anonymous routing, such 
as MIX-nets, is essential. Moreover, as a result of the requirement of this new 
notion, the message size is longer compared to a normal ring signature. 

In [11], we constructed a non-interactive version of deniable ring authenti- 
cation scheme. The scheme uses a combination of a ring signature scheme and 
a chameleon hash function. However, we assume that the verifier has setup a 
chameleon hash function before a message can be sent to him/her, and this is 
certainly not practical. 

Our Contributions 

Essentially, we provide a generic construction for non-interactive deniable au- 
thentication schemes. Our schemes follow all the requirements defined in [7], 
but there is no interactivity involved. The recipient of the deniable ring au- 
thentication can verify the correctness of an authenticated message without any 
interaction with the ad-hoc signers. This will certainly improve the usage of de- 
niable ring authentication in practice. The size of the our signature scheme is 
the same as the original ring signature scheme together with a random number. 
This is significantly shorter compared to the previous construction in [7]. Our 
scheme is an ID-based scheme, which means that the only requirement for the 
verifier (or signature recipient) is to have his ID (such as email address, a per- 
son’s address, etc) published. We assume that there is a trusted authority TA, 
that is only required when the verifier wants to generate his secret key based on 
his ID. We note that this assumption always exists in ID-based cryptography, 
as pointed out in its seminal paper in [10]. As pointed out in [7], the verifier 
V does not necessary have to setup his public-private key before a signer (on 
behalf of an ad-hoc group) decides to send him a message. Based on our generic 
construction, we can convert any ring signature schemes to deniable ring authen- 
tication schemes. We note that as in any other ID based system, our scheme is 
very applicable in a closed network [10] where a TA trusted by all participants 
exists. 

The rest of this paper is organized as follows. In the next section, we will 
review some cryptographic tools that are required in this paper. In section 3, we 
present three constructions of ID-based Chameleon Hashing that are based on 
the difficulty of factorization problem. We evaluate the efficiency of our schemes 
and show that they are more efficient than the scheme proposed in [2] . In section 
4, we present our generic construction for deniable ring authentication schemes 
that do not require any interaction with the signers to verify the authenticity 
of the message. We also present an example of such construction in the same 
section. Section 5 concludes the paper. 
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2 Cryptographic Tools 

2.1 Chameleon Hashing and ID-Based Chameleon Hashing 

Chameleon hashing (or trapdoor commitment ) is basically non-interactive com- 
mitment schemes as proposed by Brassard, Chaum and Crepeau [3]. The idea 
of chameleon hash functions was introduced and formalized in [6] in the con- 
struction of their chameleon signature schemes. The name “chameleon” refers to 
the ability of the owner of the trapdoor information to change the input to the 
function to any value of his choice without changing the resulting output. 

A chameleon hash function is associated with a pair of public and private 
keys and has the following properties [6]: (1) Anyone who knows the public 
key can compute the associated hash function. (2) For people who do not have 
the knowledge of the trapdoor (i.e. the secret key), the hash function is collision 
resistant: it is infeasible to find two inputs which are mapped to the same output. 
(3) The trapdoor information’s holder can easily find collisions for every given 
input. 

Several constructions of chameleon hashing have been proposed in [6] , which 
are based on discrete log and [4], which is based on the hardness of deciding 
whether an element is a “small” e-th residue modulo N 2 . 

The idea of chameleon hashing has been extended in [2] to construct an 
Identity-based chameleon hash. An ID-based chameleon hash scheme is defined 
by a family of efficiently computable algorithms (Setup, Extract, Hash, Forge) as 
follows. 

— Setup: A probabilistic algorithm that is run by a trusted authority TA to 
generate a pair of keys SK and VIC defining the scheme. TA publishes VIC 
and keeps SK secret. 

— Extract: A deterministic algorithm that accepts SK and an identity string 
ID and outputs the trapdoor information T associated with the identity ID. 

— Hash: A probabilistic algorithm that accepts VK , an identity string ID and 
a message m to produce a hash value h. 

— Forge: An algorithm that, on input VK, an identity string ID, the trapdoor 
information T associated with ID, a message m', and a hash value h = 
Hash(P/C,ID , in'), outputs a sequence of random bits that correspond to a 
valid computation of Hash(7 D K, ID, m') yielding a collision on the same target 
value h. 

Related to this definition is the notion of collision forgery defined [2] as follows. 

Definition 1. A collision forgery strategy is a probabilistic algorithm that given 
identity string ID. a message m and random bits r, outputs another message 
m' and random bits r' , where m ^ m! and r ^ r' , such that Hash(ID, m,r) = 
Hash(ID ,mf,r') with non-negligible probability. 

A hashing scheme is said to be secure against existential collision forgery by 
passive attacks if no collision-forgery strategy against it exists. 

The semantic security for chameleon hashing scheme is defined as follows [2] . 
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Definition 2. The chameleon hashing scheme is said to be semantically secure 
if for all identity strings ID and all pairs of messages ( m,m '), the probabil- 
ity distributions of the random variables Hash(ID, m, r) and Hash(ID, ml, r') are 
computationally indistinguishable. 

In [2], an ID-based chameleon hash function based on factorization is pro- 
posed. It is also shown an application of ID-based chameleon hash function for 
a sealed-bid auction system. 



2.2 Ring Signature Schemes 

For convenience of presentation, we review ring signature schemes in this section. 
We use the notation proposed in [1] to define ring signature schemes. We note 
that the ring signature schemes are referred to 1-out-of-n in [1], 

Definition 3. [1] A ring signature scheme consists of three polynomial time 
algorithms 

— (s k ,p k ) <— G{ 1 K )' A probabilistic algorithm that takes security parameter k 
and outputs private key s k and public key p k ■ 

— a 4— S{m, Sfc, L): A probabilistic algorithm that takes a message m, a list L 
that contains public keys including the one that corresponds to s k and outputs 
a signature a . 

— {True or _L} •<— V(m,a, L): A deterministic algorithm that takes a message 
m and a signature a, and outputs either True or _L meaning accept or re- 
ject, respectively. It is required to have True •<— V(m, S (m, s k , L ) , L) with an 
overwhelming probability. 

A ring signature scheme that allows a mixture of factorization and discrete log 
based public keys has been constructed in [1], 

2.3 Deniable Ring Authentication 

The notion of deniable ring authentication is formalized in [7]. The setup and 
requirements of a deniable ring authentication scheme is summarized as follows. 
Setup. We assume that the participants have published their public keys. The 
public keys are generated via a standard public key generation algorithm. We 
define the ring as follows. 

A ring S contains any subset of participants. An authenticator S, € S can 
sign on behalf of S. The verifier of a message, V, is an arbitrary party. We require 
that V (jL S. We assume that both verifier and the authenticator have access to 
the public keys of all members S, C S. The verifier V can verify an authenticated 
message. In Naor’s construction in [7], the verification must be done interactively 
with the help of the ad-hoc group S. However, as we will show in this paper, we 
can remove this requirement by allowing the verifier V to test the authenticity 
of the signature by himself. 
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In the following definition, we denote < Sk t ,Pki > as a pair of secret and 
public key according to a specific algorithm, that is owned by S;. A deniable 
authentication scheme consists of the following algorithms: 

— DeniableSign(m, Sfc, L, V) : is a probabilistic polynomial time algorithm 
that takes a message m G {0, 1}* and a list L that contains a set of public 
keys, including the one that corresponds to the secret key, Sk, and outputs 
a signature a, that can only be verified by V. 

— DeniableVerify (to, <r, L) : is a deterministic non-interactive polynomial- 
time algorithm that takes a message in , a signature a and a list of public keys 
L, and outputs either True or _L meaning accept or reject, respectively. 
We require that 

Pr ( ^ m ’ a ' ' a DeniableSign(m, Sk, L , V); 

l True 4— DeniableVerif y(m, a, L) 

L includes public keys based on different security parameters, and the security of 
DeniableSign (to, Sk, L , V) is set to the smallest one among them. L can include 
several types of public-keys at the same time, such as for RSA and Schnorr in a 
particular construction. 

We note that the verifier V cannot convince any other third party about 
the authenticity of the message because he can always forge the signature by 
creating the required proof in the verification by himself [7]. 

As presented in [7], the verification requires V to interact with the ad-hoc 
group of participants to test the authenticity of the message. This restriction 
requires an existence of an anonymous routing channel [7]. The purpose of this 
work is to remove this requirement and to allow V to verify the authenticity of 
the signature without any communication with S. 

Intuitively, our idea is to combine any ring signature scheme with an ID- 
based chameleon hash function to obtain a deniable ring authentication scheme. 
In the following section, we will present three novel constructions of ID-based 
chameleon hash functions, that are based on the hardness of factorization prob- 
lem, and we will proceed with our generic construction for deniable authentica- 
tion schemes in section 4. 

3 Three Constructions of ID-Based Chameleon Hash 
Schemes Based on Factorization 

In this section, we will present three ID-based chameleon hash functions. We 
will also show that our schemes are more efficient than the one proposed in [2]. 
The settings for the three ID-based chameleon hash functions are as follows. 

Model 

We assume there is a trusted authority TA which exists to assist the receiver 
to “extract” his secret key whenever needed. As noted in [10], the existence of 
TA can be completely removed after this process. Let ID denote an identity 
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string associated to some party. We note that this ID can be an email address, 
a person’s address, etc. that can uniquely determine the party [10]. Let "Hid 
be a secure public one way hash function (for instance, the hash function as 
defined and used in the ID-based signature scheme in [10]) or a public secure 
hash-and-encode scheme (eg. EMSA-PSS encoding defined in [9]). 

3.1 Scheme 1: An ID-Based Chameleon Hash Based on 
Factorization 

Setup: Following the above setting, the T A generates two safe prime numbers p 
and q (where p = 2 p' + 1 , q = 2 q' + 1 , and p', q' are also prime) and computes 
n = pq. Then, he selects a random element a € Z* , where ord n (a) = p'q' . The 
public key VIC is (n, a). TA’s secret key SIC is (p, q). 

Extract: To extract his secret key, a party obtains his identity ID and applies the 
public hash function "Hid to obtain Qid = "Hid (ID). The secret key is extracted 
as T = o® ID (mod n). Note that this value can only be computed by T A who 
knows the factorization of n, because Qid 1 is computed modulo <f>(n). 

Hash: The Hash(-) algorithm is defined as 

"H(ID, to, r) = oA( m ) r Q |D (mod n) 

where h (-) is a secure hash function and Qid = "Hid (ID). 

Forge: The Forge algorithm is defined as follows. 

Forge(ID, Qid, m, r, h, m') = r' = 1 ) r ( mo d n). 



Completeness. The completeness of the Forge algorithm is justified as follows. 



Hash(ID, m ! , r') 



= a h ( m )(r / )® ID (mod n) 




= ^j-h(m)-h(m') r j QlD 


(mod n) 




| Qid 

> (mod n) 


= a j a W™)-Mm') r Q, D j 
= (mod n) 


(mod n) 



= Hash(ID, m, r). 



We note that the owner of the secret key can always produce a collision in the 
hash function with an overwhelming probability. O 

Security Analysis 

As noted in [2], we need to show the following security requirement. 
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Theorem 1. Our first ID-based chameleon hash function is resistant to forgery, 
assuming that RSA signature scheme is resistant. 

Proof. We will prove our argument with a contradiction. Firstly, we assume there 
is an algorithm T that can produce a collision for our first ID-based chameleon 
hash function without the knowledge of the trapdoor information T, and we will 
build an algorithm A that uses T to generate an RSA signature without the 
trapdoor information. The algorithm T can produce a collision such that 

Hash(ID, m, r) = Hash(ID, m' , r') 

for a given c = Hash(ID, to, r), a pair of messages (to, to') and a random number 
r. We build the algorithm A as follows. 

— Run algorithm T given (c, to, to' ,r) to produce r' ^ r. 

— From this collision, = a h< ' m \r') ®' D (mod n) holds. That 

means, (r/r')® ID = a h(jn (mod n). 

— From the above knowledge, we can compute (r/r') = ^ 

(mod n), which was assumed to be infeasible without the knowledge of the 
factorization of n. 

We note that by running our algorithm A, we have successfully “extract” an RSA 
signature on a h ^ m (with a “public key” Qid associated with n) without the 

knowledge of the factorization of n. This result contradicts with the assumption 
that it is infeasible to compute an RSA signature on a message without the 
knowledge of the factorization of n (the difficulty of finding the e-th root modulo 
n). O 

3.2 Scheme 2: An ID-Based Chameleon Hash Based on RSA 

In this section, we design an ID-based chameleon hash function based on RSA. 
Essentially, this construction simplifies the construction proposed in [2] . We note 
that our construction is inspired by Shamir’s ID based signature scheme pro- 
posed in [10]. The Setup and Extract algorithms follow the same setting as the 
construction in [10]. 

Setup: The T A generates two safe prime numbers p and q (where p = 2p r + 1, q = 
2 q’ + 1, and p',q ' are also prime). Then, he generates an RSA-key pair (e, d), 
where d = e -1 (mod 4p'q r ), together with computing n = pq. The published 
values, VIC, are (e, n), and d is kept secret by TA (as TA’s SIC). We note 
that in several occasions, we also would like to keep p and q as part of the 
secret information (eg. to make the computation faster with Chinese Remainder 
Theorem) . 

Extract: To extract his secret key, a party obtains his identity ID and applies the 
public hash function "Hid to obtain Qid = "Hid (ID). The secret key is extracted 
as T = Qid^ (mod n). Note that this process can only be performed by TA 
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who knows the secret key d, under the published public key (e, n). The values p 
and q are discarded afterwards. 

Hash: The Hash(-) algorithm is defined as follows. 

Hash(ID, m,r) = Qid ^ m V e (mod n) 

where h(-) is a secure hash function, and Qid = "Hid (ID). 

Forge: The Forge algorithm is defined as follows. 

Forge(ID,Qio ,m,r,h,m') = r' =1 ~ h ( m ^-K m ) r ( mo d n). 



Completeness. The completeness of the Forge algorithm for Scheme 2 is jus- 
tified as follows. 

Hash(ID, to', r') = QiD ,l ^ m \f') e (mod n) 

= Qi D h(m,) {r ft(m) " ft(m,) r} e (mod n) 

= Q| D ft(m,) {Q ID (Mm)_/l(m ' ))d r} e (mod n) 

= Qi D ft(m,) {Q.d^-^V 6 } (mod n) 

= Qid" ( "V (mod n) 

= Hash(ID, m, r). 



O 



Security Analysis 

Theorem 2. Our ID-based chameleon hash function based on RSA is resistant 
to forgery, assuming that RSA signature scheme is resistant. 

Proof. We assume there is an algorithm T that can produce a collision for our 
ID-based chameleon hash function, without the knowledge of the trapdoor in- 
formation 7h We will construct an algorithm A that will use the algorithm T to 
generate an RSA signature as follows. 

We assume that there exists an algorithm T can produce a collision 

Hash(ID, ?n, r) = Hash(ID, m! , r') 

for a given c = Hash(ID, to, r), a pair of messages (to, to') and a random number 
r. We construct our algorithm A as follows. 

— Run algorithm T given (c, to, m',r), to produce r' ^ r, so that the collision 
occurs. 

— From this collision, we will obtain Hash(ID,m, r) = Hash(ID, to', r'), or 

Q |D ' 1 ( m ) r e = Q|D Mm') (r / ) e ( mod „) . 
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— From the above equation, we obtain 

{r/r') e = Q lD Hm’)-h(m) (mod n y 

— The above equation will be equivalent to 

(r/r') = (mod n). 

— Note that jQio^" 1 UU m ) j is an RSA signature on QiD ,l< - m which is 

assumed to be infeasible to compute without the knowledge of the trapdoor 

d. 

— Hence, we have successfully “extract” an RSA signature on QiD ,l ^ m 
without the knowledge of d. 

We note that the success probability of the algorithm A is the same as the 
algorithm T. Assuming that RSA is secure, then our ID-based scheme is also 
secure. O 

3.3 Scheme 3: An ID-Based Chameleon Hash Based on 
Factorization 

In this section, we design an ID-based chameleon hash function based on factor- 
ization. Unlike the previous two constructions, the T A does not require to keep 
any information other than the factorization of n as his secret keys, SK. 

Setup: The T A generates two safe prime numbers p and q , and compute n = pq. 
The public key VK is n, and the secret key SK. is (p, q). 

Extract: To extract his secret key, a party obtains his identity ID and applies the 
public hash function Hid to obtain Qid = Hid(ID). The secret key is extracted as 
T = Qid Qid (mod n). Note that the computation Qid 1 is performed under 
modulo <f>(ri) which is infeasible to be performed without the knowledge of the 
factorization of n. 

Hash: The Hash(-) algorithm is defined as follows. 

H(ID, m,r) = Qid ,! ^ m V QlD (mod n) 

where h(-) is a secure hash function, and Qid = Hid (ID). 

Forge: The Forge algorithm is defined as follows. 

Forge(ID, Q| D , m,r,h,m') = r' '( m V (mod n). 

Completeness. The completeness of the Forge algorithm for Scheme 3 is jus- 
tified as follows. 

Hash(ID, m', r') = Qio^ m )(r / ) <3lD (mod n) 
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= Q ID ,l(m,) jr' ,(Tn)_h(,n ' ) r} QlD (mod n) 

= Q ID ,l(m,) {Q |D QlD_1( ' l( H-Mm' )) r J QlD ( mod n ) 

= Q ID ,l(m,) {Qkj^-^'V 010 } (mod n) 

= QiD Mm V QlD (mod n) 

= Hash(ID, to, r). 

Theorem 3. Our third scheme is resistant to forgery, assuming that RSA sig- 
nature scheme is resistant. 

Proof. The proof is very similar to Theorem 1 and Theorem 2. Therefore, we 
omitted the proof. O 

3.4 Efficiency Comparison 

In this section we compare efficiency of our proposed schemes with the scheme 
proposed in [2]. Efficiency of ID-based chameleon hash functions can be mea- 
sured in terms of the parameters lengths: the length of TA' s public key, the 
length of TA' s secret key and the length of recipient’s secret key (after Extract). 
To compare two ID-based chameleon hash functions, we fix the level of security 
provided by the two schemes and find the size of the three length parameters. Ta- 
ble 1 gives the results of comparison of four ID-based chameleon hash functions. 
We fix the size of the prime numbers p and q , and without losing generality, as- 
sume that their size are equal. Let r = \p \2 ~ \q\ 2 - Therefore, we have \r 1\2 ~ 2 r. 
We assume that the length of the elements to construct the secret/public key 
parameters are represented by n. The first scheme refers to the scheme proposed 
in [2] . We refer this scheme as AM scheme (that stands for “Ateniese-Medeiros” 
scheme). The next three columns refer to the three schemes presented earlier. 

In the scheme proposed in [2], TA' s public key VIC is (n, v), where n = pq , and 
v is a random integer. The secret key SIC is (p, q, w), where vw + z(p— 1)((? — 1) = 
1. The Hash function is defined as Hash(ID,m, r) = Qid h ^ m \ v (mod n). The 
recipient’s secret key is extracted from Qid^ (mod n). 

As shown in Table 1, our schemes outperform the scheme proposed in [2]. In 
particular, scheme 2 requires the shortest SIC length for the TA and scheme 3 
requires TA' s VIC = TA' s SIC = Recipient’s SIC = 2 r. 

4 Generic Construction for Deniable Ring Authentication 
Schemes 

In this section, we describe our generic construction for deniable ring authen- 
tication schemes. Our construction is based on the ID-based chameleon hash 
functions TL\d(-) described in the previous section. Let V|d be the recipient of 
the deniable ring authentication, who has his identity ID published. The con- 
struction is defined as follows. 
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Table 1. Comparison of Efficiency Parameters 





AM scheme [2] 


Scheme 1 


Scheme 2 


Scheme 3 


TA's VK. length 


2t + K 


2t + K 


2 T + K 


2 T 


TA ' s SIC length 


2t + K 


2 T 


K 


2 T 


Recipient’s SK. length 


2 r 


2 T 


2 T 


2 T 


Hash(ID, m, r) 
(mod n) 


QiD Mm V 


a h ( m ) r Qm 


Qid h(m) r e 


QiD Mm, r Q|D 


Extract(-) (mod n) 


Qid w 


q Q| d_1 


Qio d 


Qid Q|D_1 


Underlying hard problem 


Factorization 


RSA 


RSA 


Factorization 



1. Define: 



DeniableSign(m, Sk, T, Vid) 



A 



h •<— 'Hv id (ID, to, r), for a random r; 
ci <— S(h , Sk, L ); 
c M|r). 



The signed message is a — (to, a) . 
2. Define: 



DeniableVerify(m, a, L) = 



(cri||r) <- cr; 
h <- ^v id (ID, to, r); 
Result •<— V(h,tJi,L). 



The result of the verification is defined as 



Result i— DeniableVerify(m., tr, L) 
which is either True or _L, meaning accept or reject, respectively. 



Theorem 4. The resulting signature is non-transferable. 

Proof. We note that the resulting deniable ring authentication does not allow 
the verifier V to convince any third party about this fact. This is due to the use 
of ID-based chameleon hash function TL(-). The verifier V can always contact the 
TA to extract his secret key and execute the Forge algorithm to create a valid 
pair of ( m',r '), for in' ^ to, that will pass under the ring signature verification 
algorithm. O 

Theorem 5. A signer S can always create an ad-hoc group S and generate a 
deniable ring authentication without contacting the verifier V . 

Proof. Due to the use of ID-based chameleon hash function, the verifier does not 
need to have her public key setup before receiving a message that is signed with 
a deniable ring authentication scheme. The signer is only required to contact TA 
if he wants to ‘forge’ a signature. O 
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We note that an interesting property of the above deniable ring authentica- 
tion scheme is to allow a signer to form an ad-hoc group and sign on behalf of 
the group without contacting the verifier. The verifier is only obliged to contact 
T A if he wants to ‘forge’ a signature. However, since there is no way to know 
whether the verifier has contacted T A or not, then the resulting signature cannot 
be used to convince any other third party ( non-transferability property). 



4.1 Comparison with Other Schemes 

In this section, we provide a complete comparison between our scheme and 
the other deniable authentication schemes, namely RST scheme proposed in 
[8] (achieved by adding the verifier to the ring) and Naor’s scheme proposed 
in [7]. The result of this comparison is illustrated in Table 2. In the compari- 
son below, we assume that the length of any ring signature scheme is denoted 
by | Z 1 2 - The length of the random number r required in our scheme is denoted 

by |r| 2 - 



Table 2. Comparison of Deniable Authentication Schemes 





RST Scheme [8] 


Naor’s Scheme [7] 


Our Scheme 


Additional 

Assumption 


The verifier V is 
required to have his 
public key setup 


An anonymous 
routing channel 
exists (for inter- 
active protocol) 


n/a 


Implication 
of the Assumption 


The verifier V can be 
added to the ring § 


An Interactive 
Protocol 


n/a 


Requirements 


V C § 


V£§ 


V£§ 


Protocol 


Non interactive 


Interactive 


Non interactive 


Signature Length 


Kh 


at least 2|Z|2 


\l\z + Ms 


Size of the ring § 


2 

(can be extended to n) 


n 


n 



From the comparison table above, we can conclude that our scheme is the only 
scheme that satisfies all the requirements of deniable authentication schemes [7] 
but without any interactive protocol required. In the scheme proposed in [8], 
although a non interactive protocol is used, it is assumed that V C S, which 
violates the original assumption proposed in [7]. Our scheme also produces a 
shorter signature compared to [7]. 



4.2 An Example 

We present a sample conversion of the ring signature scheme proposed in [1] to 
construct a deniable ring authentication scheme as described in previous section. 
We will use a ring signature scheme based on RSA proposed in [1], together with 
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our ID-based chameleon hash function based on RSA presented in section 3.2. 
The ID-based chameleon hash function is defined as 

H ash (ID, m, r) = Qid ^ m V e (mod n ). 

For i = 0, • • • , N — 1, let (e*, nf} be RSA public keys and Hi : {0, 1}* — > Z ni 
be hash functions. Let L be a list of these public- keys. TA has published his 
public key (e,n) as described in section 3.2. We assume that the verifier V has 
his ID, ID, published. For simplicity, we also assume a signer S k would like to 
send a deniable ring authenticated message to V. Let the size of the ring be N. 

A signer Sfc who owns the private key d k generates a signature for a message 
m as follows. 

— Obtain the identity of the recipient, ID, and compute Qid = 'Hid(ID). 

— Select a random number r G Z„ and compute 

h = Qid' i( "V (mod n). 

— Select N random numbers r\ G Z ni , • • • , r n G Z nN . 

— From r k , k G {1, • • • , N}, compute c k + i = H k+1 (L, h, r k ). 

— For i = k + 1, • • • , N — 1, 0, 1, • • • , k — 1, select s,; G Z rii and compute c .;+ 1 = 
H i+ i(L, h,d + s (mod m)). 

— Compute s k = ( r k — c k ) dk (mod n k ). 

The resulting signature is (r, Co, Si, si, • • • , Sn~i)- 
To verify a signature, the verifier V performs the following. 

— Generate Qid = 'Hid(ID) for his ID. 

— Compute h = QiD ,! ^ m V e (mod n). 

— For i = 0, • • • , N — 1, compute 

• Ti = d + sf (mod rii ); 

• c i+ 1 = H i+ 1 (L, h, n) if i ± N - 1. 

— Accept if Co = H 0 (L,h,r n -i) holds. Otherwise, reject. 



Theorem 6. The above signature scheme is a non-interactive deniable ring au- 
thentication scheme. 

Proof (sketch). The proof can be derived from the use of ID-based chameleon 
hash function described in section 3.2. The verifier V can contact TA to retrieve 
his secret key T. Obtaining his secret key, he can select any message m' yf m 
and execute the Forge algorithm to retrieve the associated r' yf r that will pass 
the verification test. The underlying ring signature used remains the same, and 
hence, we have obtained a deniable ring authentication scheme. O 
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5 Conclusions 

In this paper, we presented a novel construction of deniable ring authentica- 
tion scheme that does not require any interaction to verify the authenticity 
of the message. Our scheme combines any ring signature schemes with an ID- 
based chameleon hash function that allows the resulting signature to be non- 
transferable. In our construction, the verifier V (or the signature recipient) does 
not necessarily need to retrieve the associated secret key that is related to his 
published identification, ID, unless he wants to ‘forge’ a signature. Based on this 
idea, the resulting signature becomes non-transferable, since any third party 
cannot determine whether the verifier has retrieved his secret key and produce a 
collision on the hash function or not. We presented a generic construction of de- 
niable ring authentication schemes. Unlike the construction proposed in [7], our 
scheme produces a shorter signature size (cf. [7]). We presented three ID-based 
chameleon hash functions that outperform the construction proposed in [2], 
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Abstract. The concept of group signature allows a group member to 
sign message anonymously on behalf of the group. In the event of a 
dispute, a designated entity can reveal the identity of a signer. Previ- 
ous group signature schemes use an RSA signature based membership 
certificate and a signature based on a proof of knowledge (SPK) in or- 
der to prove the possession of a valid membership certificate. In these 
schemes, SPK is generated over an unknown-order group, which requires 
more works and memory compared with a publicly-known-order group. 
Recently, a group signature based on a known-order group is proposed. 
However, it requires an unknown-order group as well as a known-order 
group. Furthermore, unfortunately, it does not provide the function of 
revocation. In this paper, we propose the group signature scheme based 
on only publicly-known-order groups. Our scheme improves the Nyberg- 
Rueppel signature to fit for generating membership certificates and uses 
SPKs over a cyclic group whose order is publicly known. As a result, 
our scheme reduces the size of group signature and the computational 
amount of signature generation and verification. 



1 Introduction 

A group signature proposed by Chaum and van Heyst[10] , allows a group member 
to sign messages anonymously on behalf of the group. A group signature has a 
feature of tracing, that is, the identity of a signer can be revealed by a designated 
entity in case of dispute. A group signature consists of three entities: group 
members, a group manager, and an escrow manager. The group manager is 
responsible for the system setup, registration and revocation of group members. 
The escrow manager has an ability of revealing the anonymity of signatures with 
the help of a group manager. 

A group signature consists of six functions, setup, registration of a user, 
revocation of a group member, signature generation, verification, and tracing, 
which satisfy the following features: 

Unforgeability : Only group members are able to generate a signature on a 
message; 

Exculpability : Even if the group manager, the escrow manager, and some of 
group members collude, they can not generate a signature on behalf of other 
group members; 



M. Jakobsson, M. Yung, J. Zhou (Eds.): ACNS 2004, LNCS 3089, pp. 164-179, 2004. 
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Anonymity : Nobody can identify a group member who generated a signature 
on a message; 

Traceability : In the case of a dispute, the identity of a group member is revealed 
by the cooperation of both the group manager and the escrow manager; 
Unlinkability : Nobody can decide whether or not two signatures have been 
issued by the same group member; 

Revocability : In the case of withdrawal, the group manager can revoke a mem- 
ber, and a signature generated by the revoked member can not pass the 
verification; 

Anonymity after revocation : Nobody can identify a group member who gener- 
ated a signature on a message even after a group member was revoked; 
Unlinkability after revocation : Nobody can decide whether or not two signa- 
tures have been issued by the same group member even after a group member 
was revoked. 

The efficiency of a group signature scheme is considered by the size of public key 
and signature, the work complexity of signature generation and verification, and 
administration complexity of revocation and registration of a group member. 

Various group signature schemes have been proposed[5,6,9,8,l,4,16,3,7,2]. 
These group signature schemes are classified into two types, a public-key- 
registration type, and a certificate-based type. In the former type, [5,6] are con- 
structed by using only known-order groups. However, in their schemes, both a 
group public key and the signature size depend on the number of group mem- 
bers. It yields a serious problem for large groups. In the latter type, [9, 8, 1,4, 
16,7,3,2] give a membership certificate to group members, and the group signa- 
ture is based on the zero-knowledge proof of knowledge (SPK) of membership 
certificate. Therefore, neither a group public key nor signature size depends on 
the number of group members. In these previous certificate-based type group 
signature schemes, the membership certificate has used an RSA signature over 
an unknown-order group, and, thus, the size of group signature becomes huge. 

In this paper, we present an efficient group signature scheme based on a 
Nyberg-Rueppel signature. This is the first scheme that is constructed on only 
known-order groups and that realizes the full features of unforgeability, excul- 
pability, anonymity, traceability, unlinkability, and revocability. As a result, the 
signature size and computation amount of signature generation and verifica- 
tion are reduced. We also give the security proof of membership certificate and 
group signature. Furthermore, our scheme also applies the Certificate Revocation 
List(CRL)-based revocation which proposed by Ateniese and Tsuclik[3] with a 
slightly few additional work. 

This paper is organized as follows. In the next section, we provide an overview 
of related work. In Section 2, we summarize some notations and definitions used 
in this paper. In Section 3, we propose our new group signature scheme. Section 4 
discusses the security of our scheme. Features and efficiency of our scheme are 
analyzed in Section 5. Finally, Section 6 concludes our paper. 
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1.1 Related Work 

Various certificate-based type group signature schemes have been proposed in 
[1,3,4,7,8,9,16]. These schemes are based on the following mechanisms. A user, 
denoted by M i? who wants to join the group, chooses a random secret key Xi, 
and computes y* = where / is a suitable one-way function. Mj commits to 

Hi (for instance, Mj signed on j/j) and sends both yi and the commitment to the 
group manager denoted by GM, who returns Mj with a membership certificate 
ceri = Sig GM (z/j). To sign a message m on behalf of the group, Mj encrypts yi to 
Cj using the public key of the escrow manager denoted by EM, and generates a 
signature based on the proof of knowledge which shows the knowledge of both 
and ceri such that cerj = Sig GM (/(xj)). The verification is done by checking the 
signature of knowledge. The escrow manager can easily reveal the anonymity of 
a group signature by decrypting Cj. 

These group signature schemes are classified into two types, a public-key- 
registration type and a certificate-based type. Public-key-registration type group 
signature schemes[5,6] use only known-order groups and can easily realize the 
revocation by removing the group member’s public key. However, both a group 
public key and the signature size depend on the number of group members. It 
becomes serious if we apply them on large group. On the other hand, the group 
signature schemes of certificate-based type must make the member’s certificate 
invalid when they revoke member. However, since the previous schemes [9,8,1, 
2] do not provide any function of revocation, they can not realize the feature of 
revocability. The schemes [4,16,3,7] provide the function of revocation. In Song’s 
scheme[16], a membership certificate is valid for a limited period. Therefore, each 
group member has to update his/her membership certificate in each time period. 
Camenisclr and Lysyanskaya’s scheme[7] needs to update a membership certifi- 
cate in both cases of registration and revocation. Thus, their scheme requires 
additional cost to manage the valid member although their verification does not 
depend on the number of registered or revoked member. Bresson and Stern’s 
scheme [4] uses a CRL to realize revocation. CRL is a public list of information 
related with revoked-member certificates. This scheme does not have to update a 
membership certificate, but the size of group signature and the cost of signature 
generation and verification depends on the number of revoked members. Ate- 
niese and Tsudik proposed quasi-efficient solution for CRL-based revocation [3]. 
CRL-based revocation scheme is based on the following mechanisms. The group 
manager computes Vj = f'(cerj) for each revoked member M ; - by using a suit- 
able one-way function /' and publishes Vj together with the current CRL. In 
the signing phase, a signer Mj also sends T = /"(/'(cerj)) with a signature by 
using a suitable one-way function f" . In the verification phase, a verifier checks 
that T ^ f"{Vj) for v V/ G C1ZC. The signature size and the cost of signature 
generation does not depend on the number of revoked members, but the cost of 
verification depends on the number of revoked members. To sum up, there are 
certificate- update-based revocation and CRL-based revocation. In the former, 
the cost of verification does not depend on the number of revoked members, but 
each group member needs to update a membership certificate. In the latter, each 
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group member does not need to update a membership certificate, but the cost 
of verification depends on the number of revoked members. 

In the certificate-based type group signature schemes, the membership cer- 
tificate has used an RSA signature over an unknown-order group, and thus the 
size of group signature becomes huge. Recently, Nyberg-Rueppel signature was 
applied to a group signature [2]. However, their scheme requires an unknown- 
order group and must hide the membership certificate by a random value in 
order to satisfying the feature of anonymity and unlinkability. Thus, although 
a known-order group is introduced, it suffers from much work complexity and 
complicated interaction. Furthermore, since it does not provide the function of 
revocation, much administrative complexity might be required in order to revoke 
a member. 



1.2 Our Contribution 

Our proposed scheme is constructed on only known-order groups and that re- 
alizes full feature of unforgeability, exculpability, traceability, unlinkability, and 
revocability. In our scheme, a membership certificate is generated by Nyberg- 
Rueppel signature, and the features of anonymity and unlinkability are realized 
by zero-knowledge proof of knowledge which does not have to be hidden by 
a random value in contrast to [2]. Thus, our group signature is rather simple 
than [2]. As a result, the signature size and computation amount of signature 
generation and verification are reduced from [2]. Furthermore, our scheme also 
provides the CRL-based revocation with a slightly few additional work to group 
members. We also give the security proof of membership certificate and group 
signature. 

2 Preliminaries 

2.1 Notation 

In this section, we summarize facts used in this paper. Let the empty string be 
0. For a set A, a €r A means that a is chosen randomly and uniformly from A, 
and A \ {a} means that A — {a} = {x £ A\x ^ a}. For a group G 9 g, ord(g) 
means order of g in G. The bit length of a is denoted by |a|. Let c[j] be the j-th 
bit of a string c. We use a collision resistant hash function H : {0, 1}* — » {0, l} fc . 

2.2 Proof of Knowledge 

A signature based on a zero-knowledge proof of knowledge(SPK), denoted by 
SPK{(a\, ■ ■ ■ , a w ) : Predicates}, is used for proving that a signer knows 
Gq , • • • ,a w satisfying Predicates. We borrow three SPKs over known-order 
groups from [11,15,6], SPK of representations and a double discrete logarithm. 

Let q , p and p be primes with q\(p — 1) and p\(p — 1). We use two cyclic 
groups G p of order q with G p C Z* and Gp of order p with Gp C Z|. 
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Definition 1. Letgi,--- ,g u , yi,--- ,y v £ G p . An SPK proving the knowledge 
of representations of yi, ■ ■ ■ , y v to the base gi, ■ ■ ■ ,g u on a message in £ {0, 1}* 
is denoted as 

Jl Jv 

SPK{{a u ■■■ ,a w ): y 1 = g?/ mod p A • • • A y v = g?/’ j mod p}(m ), 

i= i i = i 

where Ji € [1, • • • , tt] are the number of bases ofyi, a.ij £ [1, • • • , w] are indexes of 
the elements a a . . , and bij £ [1, ■ ■ • , u] are indexes of the bases gb i} , which consists 
of a set of(c,s i,- • ■ ,s w ) £ {0,l} fe xZ“ satisfying c= H(gi\\ ■ ■ ■ ||ff u ||j/i|| • • • ||j/ v || 

y c n/ii mod p\ I • • • I \yv n/=i 9b?/ mod p\ \ m ) ■ 

If a signer knows X \ , • • • ,x w £ Z q such that y = Tl/ii 9b i? m0< i Pi '"■> Vv = 
II j 7 =i 9b ? 3 m °d Pi then a signature on a message m can be computed as follows: 

1. choose random exponents G Z* for 1 < d < w, 

2. compute c = H{gi\\ ■ ■ ■ \\g u \\yi\\ ■ ■ ■ ||y„|| Tl/=i 9?// mod p\\ ■ ■ ■ || Yl?=i %?/ 
modp||m) and 

3. compute Sd = ra — cxd mod q for 1 < d < w. 



Definition 2. Let g, y € G p and g £ G p . An SPK proving the knowledge of 
double discrete logarithm of y to the base g and g on a message m £ {0, 1}* is 
denoted as 



SPK{(a ) : y = g 9 modp }(m), 

which consists of a set of (c,s i, • • • , Sfe) £ {0, l} k x Z k q satisfying c = UigWgWyW 
[yc[\]g\-c[l]y^ mod p|| • • • || (y c Wgl-c{k]y* mo dp\\m). 

A signer who knows the secret key x £ Z g with y = g 9 mod p can compute a 
signature (c, Si, ■ ■ ■ ,Sk) = SPK{(a) : y = g 9 mod p }(m) on a message m as 
follows: 

1. choose random exponents rj £ Z* for 1 < j < k, 

2. compute c = 1 mod p\\ ■ ■ ■ ||g 3 k mod p\\m ), and 

3. compute Sj = rg — c[j]x mod q for 1 < j < k. 

3 Proposed Scheme 

We present the group signature scheme based on a Nyberg-Rueppel signature 
after we define a new SPK and a new problem based on DLP, and modify the 
Nyberg-Rueppel signature. 
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3.1 New SPK of a Common Discrete Logarithm over Different 
Groups 

Let us define a new SPK which proves the knowledge of a common discrete 
logarithm over different groups. Let P be a product pq of prime p and q\(p — 1), 
P be a prime with P|(P — 1). We also use two cyclic groups Gp of order q with 
Gp C Z p and Gp of order P with Gp C Zp. 

Definition 3 (SPK of a common discrete logarithm over different 
groups). Let g,y £ Gp with ord(g) = ord(y) and g,y £ Gp with ord(g) = 
ord(y). An SPK proving the knowledge of common discrete logarithm of y to the 
base g and y to the base g on a message m £ {0, 1}* is denoted as 

SPK{(a) : y = g a mod P A y = g a mod P A a £ Z p }(m), 

which consists of a set of ( c,s ) £ {0, l} fc x Zp satisfying c = H(g , ||j/||g||y|| 
y c g s mod P\\y c g s mod P||rn). 

If a signer knows such an integer x £ Zp that both y = g x mod P and y = 
g x mod P hold, a signature on a message m corresponding to public keys y and 
y can be computed as follows: 

1. choose a random exponent r £ Zp, 

2. compute c = TL{g\ \y\ |g| \y\ \g r mod P\\g r mod P\\m), and 

3. compute s = r — cx mod P. 

Lemma 1. The interactive protocol corresponding to SPK{(a) : y = g a mod 
P A y = g a mod P A a £ Zp }(m) is a honest-verifier perfect zero-knowledge 
proof of knowledge of common discrete logarithm of y to the base g and y to the 
base g. 

Proof : The proof on the perfect zero-knowledge part is quite standard. We 
restrict our attention to the proof of knowledge part. By using the fact that the 
equivalent protocol[15] is a proof of knowledge, it is sufficient to show that the 
knowledge extractor can compute the witness once he has found two accepting 
sets (ti,t 2 ,c, s) and (ti, t 2 , d , s'). Since both t\ = y c g s = y c g s (mod P) and 

II ~ s' — s s' — s 

t ‘2 = y c g s = y c g s (mod P) hold, we have y = g c c ' (mod P) and y = g°- c ' 
(mod P). From these equations, we have 

f x q = mod q, 

^ mod p 

On the other hand, we can compute such an integer x £ Zp that 

{ x = x q mod q 
x = x p mod p 

by using Chinese Remainder Theorem. Then both y = g x mod P and y = g x 
mod P hold. Therefore, SPK {(a) : y = g a mod P A y = g a mod P A a £ 
Zp }(m) is a honest- verifier perfect zero-knowledge proof of knowledge of com- 
mon discrete logarithm of y to the base g and y to the base g. □ 
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3.2 The Multiple Discrete Logarithm Problem 

Before presenting our scheme, we define the Multiple Discrete Logarithm Prob- 
lem(MDLP), which is used for the security proof of our scheme. Let k be a 
security parameter, q and p be primes with |qj = k and q\(p— 1), P be a product 
of q and p, g 1 , g 2 and g$ be elements in Z p with order q. 

Problem 1 (MDLP) Given Z p and g\, g 2 and g% € Z p with order q such 
that the discrete logarithms based on each other element are unknown, find a 
pair (xi,X 2 ,X 3 ) € Zp x Z, x Z, such that x\ g^g^ 2 = g% 3 (mod P). 

Assumption 1 (MDL Assumption) There is no probabilistic polynomial- 
time algorithm P that can solve the Problem 1. 

3.3 The Modified Nyberg-Rueppel Signature Scheme 

Let us summarize the original Nyberg-Rueppel signature scheme[14]. For a q- 
order element g £ Z*, a signer chooses his secret key iSjjZ, and computes his 
public key y = g x mod p. A signature (r, s) £ Z p x Z 9 on a message m € Z* 
is computed as r = mg~ w mod p and s = w — rx mod q for a random integer 
w Zq, which is verified by recovering the message masm = i~y r g s mod p. 

Message recovery signature schemes are subject to an existential forgery, in 
which an attacker cannot control a message. In a sense, it is not a serious problem 
because we can avoid such a forgery by restricting a message to a particular 
format. However, suppose that we want to use it for a membership certificate 
of DLP-based key like m = g 4 mod p. Then, by using a valid signature for a 
message m = g t mod p with a known discrete logarithm t, it is easy to obtain a 
forged signature for some known message m' = g * mod p, in which an attacker 
can control a message of m! . Therefore, we must remove such a defect from the 
original Nyberg-Rueppel signature to generate a membership certification of a 
DLP-based key. 

In order to generate a membership certificate of a DLP-based key securely, 
we introduce another base h £ Z* with order q such that the discrete logarithm 
of h to the base g is unknown. We restrict the message space for Nyberg-Rueppel 
signature to {h* mod p \ t £ Z q }. In our scheme, GM or M$ computes each public 
key as y = g XGM mod p or = h Xi mod p, respectively. Then, a membership 
certificate (rj,Sj) G Z p xZ, of M,’s public key Zi = h Xi modp is given as 
Zi = ny ri g Si (mod p). 

3.4 Functional Description 

A group signature scheme with CRL-based revocation consists of the following 
procedures: 

Setup: A probabilistic polynomial-time algorithm that on input a security pa- 
rameter k outputs the group public key y (including all system parameters), 
the secret key S of the group manager, and the initial certificate revocation 
list CTZC. 
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Registration: A protocol between the group manager and a user that registers 
a user as a new group member. The group manager outputs the renewed 
member list M.C. The user outputs a membership key with a membership 
certificate. 

Revocation: A probabilistic polynomial-time algorithm that on input the re- 
newed revoked member list 1ZMC outputs a renewed certificate revocation 
list C1ZC corresponding to 1ZMC. 

Sign: A probabilistic polynomial-time algorithm that on input a group public 
key y, a membership key, a membership certificate, and a message m outputs 
a group signature a. 

Verification: A boolean- valued algorithm that on input a message m, a group 
signature cr, a group public key y, and a current certificate revocation list 
C1ZC returns 1 if and only if a was generated by some valid group member. 

Tracing: An algorithm that on input a valid group signature cr, a group public 
key y, the group manager’s secret key, and the member list AiC outputs 
the identity of a signer. 



3.5 Scheme Intuition 

Our scheme must permit Mj to prove knowledge of his membership certificate 
(r,;,Sj) corresponding his membership key Xi without revealing any information 
of Xi, rt or Si . However, there has not been any SPK which proves the knowledge 
of the membership certificate directly. So, we modify Nyberg-Rueppel signature 
as follows. Let P be a prime with P|(P — 1), P = pq and q\(p — 1) and g-orcler 
elements g± and 52 G Zp. GM issues a membership certificate ( Aj,6j ) of Mj’s 
public key Zi = </f* mod P as = A i y Ai g'l i (mod P). This exactly means 
that our membership certificate is based on MDLP. To forge a valid membership 
certificate is equivalent to solve MDLP. Under the Assumption 1, it is difficult 
to find a set of {x^, ( Aj , &;)} such that g ^ = Aiy Ai g \ * mod P without knowing 
the discrete logarithm of g\, <72 and y based on each other elements. Therefore, 
the membership certificate (Aj,6j) corresponding to a membership key x^ can 
be obtained by only the interactive protocol between GM and Mj. In the signing 
phase, we employ a base g G with order P to protect any information of 
the membership certificate ( A t , b t j and corresponding membership key Xi, Mj 
computes a random base T = g w mod P for a random integer W Gr Zp and 
generates a signature based on the proof of knowledge of {xi, {A t , 6,)} such that 

x i a A ■ bj ~ 

T 9 2 = T AiV tg i mod P holds. This can be constructed by using SPK which 

defined in Section 2.2. 



3.6 Our Group Signature Scheme 

We present a new group signature scheme with CRL-based revocation, which 
uses only known-order groups. Let k be the security parameter and the initial 
member list M.C, the initial revoked member list PA iC and the initial member- 
ship certificate revocation list C1ZC be null. 
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Setup(fc) 

1 . Choose a random k- bit prime q , a random prime p of such that q\(p— 1 ) 
and set P = pq. 

2 . Choose a random prime P of such that P|(P — 1 ). 

3 . Set each cyclic subgroup Gp C Z * P with order q and G p C. Z*p with 
order P. 

4 . Choose random elements g i, g 2 , g 3 and 54 £p Gp \ { 1 } such that the 
discrete logarithms based on each other elements are unknown. 

5 . Choose a random element 5£pGp\{l}. 

6. Compute y± = (?i GM mod P and y 2 = 53 GM mod P for a secret key 
Igm €p Z q . 

7 . Output the group public key y = { q , P, P, 51, 52, 53, 54, 5, 51,2/2} and the 
secret key 5 = {® GM }. 

Registration (d 7 , 5 , A 4 £) 

1 . Mi chooses a membership key x.-, £p Z 9 , sets Zi = g 2 ' mod P, and sends 
Zi with 0 1 = SPK{{a) : z, = g 2 mod P }( 0 ) to CM 1 . 

2 . GM checks the validity of cr t , chooses a random integer up Gp Z 9 , 
computes A, = Zig^ Wi mod P and b, = Wi — A,x GM mod (7, and sends 
(Aj, &i) £ Zp x Z 9 to Mj through a secure cannel. 

3 . GM adds (A i; b;) with Mi’s identity IDi to the member list MC. 

4 . Mi verifies that Aiy^g^ = Zi (mod P). 

5 . GM outputs the renewed member list MC = {{ID i: A t , 6,)}. 

6. Mi possesses a membership key x t and a membership certificate (A,;, 6,) £ 
Zp X Zq. 

In order to revoke a new subset of members whose revoked member list is 

PMC = {{ID, b)} with \PMC\ = u, GM renews the certificate revocation 

list C 1 ZC by running the following Revocation protocol. 

Revocation {PMC) 

1 . Choose a new revocation base <74 £p Gp \ { 1 } and update y. 

2 . Compute Vj = g \ 3 mod P for bj £ PMC (1 < j < u). 

3 . Output the renewed certificate revocation list CPC = {Vj \ 1 < j < u}. 

Sign( 3 7 , 54 Xi, Ai, bi, m) 

1 . Choose a random integer w £p Z q . 

2 . Compute = 5 9 ” mod P, T 2 = T® 4 mod P, T 3 = g^g™ mod P, 

T 4 = Ai5^ mod P, and T 5 = 5“ mod P. 

3 . Generate 

ct 1 = SPR'Kou, «2) : 7 i = 5 9a mod P A T 2 = T® 4 mod P A 

?3 = 53 1 54 2 mod p }( TO ) 

= (ci, sn, ■ • • , sik, S21, • • • , S2fc) £ {0, l} fc x Zf 
as follows: 

1 We can also add an interactive protocol to make a member’s secret key jointly by a 
member and GM. 
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— choose random integers wy, u>2j £r Z q for 1 < j < k, 

— compute 

• tij = g 9a 3 mod P, t-2j = T-f 4 mod P, and t 3j - = g 3 l3 g^ 23 mod 
P for 1 < j < k, 

• Cl = H(s , 3||34||5ll^l||^2||T3||t 11 ||- • - lliifci 1*21 1 1 * • -| 1^2fc| |*31 1 1 * ' 'll^fc 

IM> 

• Sij = u>ij — Ci[j]6j mod q and S2j = u>ij — c\\j\w mod q for 1 < 

j < k. 

4. Generate 

U 2 = SPK{(a 3 , «4, a 5, a 6 ) : a 3 € Z P A T 3 = g 3 4 g^ e mod P A 

r 4 = y^g^gTaT mod P A T 5 = y? 6 mod P /\g Ti = Tf 3 mod P}(m) 
= (C2, S3, S4, S5, S6) £ {0, 1}* X Z® X Zp 

as follows: 

— choose w 3 Gfi Zp, w 4 ,w 5 ,w 6 Gfi Z g , 

— compute 

• G = 53 4 ff4 6 mod G = yT U3 9i u *92 B 9T mod p , h = VT mod 
P , and tf = T“ 3 mod P, 

• C 2 = W(ffi||^||^||ff4||fl|||/l||l/2||Ti||T3||T4||T 6 ||t4||t5||t 6 ||i7||m), 

• S3 = UJ3— c 2 A,; mod P, s 4 = <u 4 — c 2 &j mod <7, S5 = 1U5— c 2 a;i mod <7 
and S(3 = luq — C2W mod p. 

5. Output a group signature a = {Ti, T 2 , X3, T 4 , T5, ay, cj 2 }. 

Verification (J^, C7GC, m, a) 

1. Check the validity of ay and cr 2 . 

2. If Ty’ yf P 2 mod P for v Fj G C7GC, then accept the signature otherwise 
reject the signature. 

Tracing(;rGM, MC, a) 

1. Recover A, by A,; = T±/T^ XGM mod P. 

2. Identify a signer M$ from A, by using the member list A iC. 

3. Output the signer’s identity ID;. 

In our scheme, in order to realize the features of anonymity and unlinkability, 
GM has to keep A iC secretly and send a membership certificate to a group 
member through a secure cannel. This assumption is required in the CRL-based 
revocation as in [3]. To reduce the features of anonymity and unlinkability to 
GM, GM may be separated to two managers, the group manager and the es- 
crow manager by applying techniques of multi-party computation to generate a 
membership certificate. 

4 Security Consideration 

We use two different signature schemes in our group signature scheme. One is the 
modified Nyberg-Rueppel signature scheme that generates the membership cer- 
tificate, and the other is SPK that generates the group signature. In this section, 
we consider the security of a membership certificate and the group signature. 
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4.1 Security Proof on the Membership Certificate 

The security of the membership certificate in our scheme is based on the diffi- 
culty of the MDLP. We show the membership certificate is secure against any 
probabilistic polynomial-time adversaries. 

Let us define one more security assumption. For the security parameter k, 
primes p and q with |g| = k and q\(p— 1 ), P = pq and 31, 32, 33 £ Z P with order 
3, a set of solutions of Problem 1 is denoted as 

*(Zp, 3 i, 32 , 33 ) = {{xi,X2,x 3 ) £Z P xZ q xZ q \ Xtg^g^ 2 = g% 3 (mod P)} 

where the discrete logarithms of 31, 32, and 33 based on each other element is 
not known. 

Problem 2 (Strong-MDLP) Given Zp, 31, 32, and 33 £ Z* p such that the 
discrete logarithm based on each other element is not known and any subset 
X C X(Zp, 31, 32, 33) with the polynomial order |A|, find a pair (aq, £2, £3) £ 
Zp xZ q xZ q such that xig^g ^ 2 = g 3 s (mod P) and {x\,X2,x 3 ) ^ X. 



Assumption 2 (Strong-MDLP Assumption) There is no probabilistic 
polynomial-time algorithm P that can solve the Problem 2 . 

More formally, the following experiment is executed with algorithm A. 
Break-strong-MDLP(A, k, 3, P, 31, 32, 33) 

1 . Choose a polynomial-order subset X C X{Zp,g\ 1 g2 1 g 3 ) ■ 

2. (aq, £2, £3) £- A x (k, 31, 32, 33, 3) P) ■ 

3 . If (aq, X2, £3) £ Zp x Z q x Z q , 3g 3 = Xi3i :z ' 1 32 ::C2 (mod P) , and 

(xi,x 2 ,x 3 ) ^ X 

then return 1 , 
else return 0. 

The strong MDLP assumption is that the maximum success probability of Break- 
strong-MDLP(A, k. 3, P, 31, 32, 33) over all the probabilistic polynomial-time ad- 
versary is negligible in k. 

By using Assumption 2 , we can formalize the security of the membership 
certificate as follows. Let us define A be a probabilistic polynomial-time oracle 
Turing machine, which gets input y and runs with a membership certificate oracle 
Oc (t,y,S,-), which on input z £ Z* p outputs a membership certificate ( A,b ). 
The adversary A may query the oracle adaptively. Eventually, adversary outputs 
a new membership certificate (A', b') for a public key z' and the corresponding 
membership key x' . The adversary wins if z' was not queried and A'y A g\ b = z’ 
(mod P). More formally, the following experiment is executed with the algorithm 
A. 

Adversary (A, k ) 

1 . Set (S,y) <— Setup(fc) 
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2. Set (A',b',z',x') <- A 0 c {k,y) 

3. If A'y A gi b ^ z' (mod P) or z' was queried to Oc, 
then return "adversary failed", 

else return "adversary succeeded". 

From the above discussion, the security of our certificate is proved as follows. 

Theorem 1. Let A be a probabilistic polynomial-time adversary of time com- 
plexity t with at most Q queries to an oracle Oq ■ If the adversary successfully 
forges a new certificate, then there exists an adversary B performing an attack 
against the strong MDLP with at least the same advantage. Furthermore the time 
complexity of B is at most r. 



4.2 Security Proof on the Group Signature 

We show the security of the group signature. 

Theorem 2. The interactive protocol underlying the group signature scheme 
is a honest-verifier perfect zero-knowledge proof of knowledge of a membership 
certificate and corresponding membership key. Furthermore, it proves that the 
a pair (X^T^) encrypts the membership certificate under the group manager’s 
public key y 2 . 

Proof : The proof that the perfect zero-knowledge part is quite standard. We 
restrict our attention to the proof of knowledge part. By the properties of the 
SPK protocol, the signer can produce values of 01,02,03,04, 05 and 06 such 
that 



Ti = g 9s 2 mod P 


(1) 


T 2 = Tf 1 mod P 


(2) 


T 3 = 9T9T = 9? 9? mod P 


( 3 ) 


Ta = yf a3 gf a4 g 2 5 9 3 6 mod P 


( 4 ) 


T 5 = y% e mod P 


( 5 ) 


g Ti = Tf 3 mod P 


(6) 


Q?3 G Zp 


( 7 ) 



hold, in which oi = 04 and 02 = 06 hold from Equation ( 3 ). Thus, Equations ( 1 ) 
and (2) represent 

Tl = g 9 ? 6 mod P (8) 



and 



T 2 = T^ 4 mod P. 



( 9 ) 
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From Equations (4) and (8), we can rewrite Equation (6) as 

gvr 3 9i ai 92 5 93 6 = (gS3 6 )«3 ( mod p) 

^ yi a3 9i a *9?gr = 53 6 «3 (mod P) 

92 5 =a 3 y^g^ (mod P). (10) 

Thus, a set of {as, (03,04)} is coincident with the valid membership certificate 
and corresponding membership key. From using Equation (10), Equation (4) 
represents 



T 4 = a 3 g«° (mod P). 

Thus, a pair of (T 4 ,T 3 ) is an encryption of 03 by the group manager’s public 
key y 2 - Therefore, the group signature is a honest- verifier perfect zero-knowledge 
proof of knowledge of a membership certificate and corresponding membership 
key, and it proves that the a pair (T 4 ,T 3 ) is an encryption of the membership 
certificate by the group manager’s public key y 2 ■ □ 

5 Analysis of Our Scheme 

5.1 Features 

Here we show that our scheme satisfies all features necessary for group signatures. 

Unforgeability : From the proof of Theorem 2, a set of (T\ , T 2 ,T 3 , T 4 . 15) is an 
unconditional binding commitment to a valid membership certificate (A, bi) 
and corresponding membership key 24. Under the Assumption 2, it is infea- 
sible to find a certificate (A, bi) corresponding a membership key 24 without 
knowledge of the group manager’s secret key. Therefore, only group members 
who have a valid membership certificate are able to generate a signature on 
a message; 

Exculpability : GM knows a member’s membership certificate, but he can not 
get any information about the corresponding membership key 24. Hence, 
even if GM colludes with some group members, they cannot sign on behalf 
of 

Anonymity : Assuming that the function T~i is a random function, the SPKs of 04 
and (j 2 do not leak any information since their interactive counterparts are 
based on the honest- verifier perfect zero- knowledge. To decide whether some 
group member with certificate (A,,fej) generated, it is required to decide 
whether log^Ti = T 4 /A ): , log Tl T 2 = g 4 or log, /4 T 3 /g^ = log g 3 T 4 /Ai = 
log, J(2 T5. However, these are impossible under the decision Diffie-Hellman 
assumption [12], and hence anonymity is guaranteed. 

Traceability : When the signature is valid, (T 4 ,T 3 ) is coincident with the en- 
cryption of the membership certificate A,, which can be uniquely recovered 
by GM. Therefore, a member can be traced in case of dispute. On the other 
hand, in order to impersonate another signer with (A', &'), they must forge 
the membership certificate (A' , £/). Under the Assumption 2, it is infeasible. 
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Unlinkability : In order to decide whether or not two signatures {Tj, T 2 , X 3 , T 4 , 
I 5 , cri,tT 2 } and {!/, T^, T 3 , T 4 , Tg, o/,<r 2 } were generated by the same group 
member, we need to decide whether or not loggTj/T-f = T 4 /T 4 , (log Tl T 2 )/ 
(log Tl ' T 2 ) = 1 or logg 4 T 3 /T' = log 93 T a /T' a = \og V2 T 5 /T' holds. However, 
these are impossible under the decision Diffie-Hellman assumption[12] , and 
hence group signatures are unlinkable each other. 

Revocability : Each group signature must prove the knowledge of bi with T 2 = 

b i 

T / 4 mod P, where GM publishes revoked member’s membership certificate 
as V = g\ mod P. Therefore, if a signer is a revoked member (i.e., bi = b), 
then T a = T 2 mod P for some V holds. The verifier can check the equation 
and judge whether the signer has been revoked or not. In order to forge the 
group signature that passes verification, a revoked member must substitute 
another b' for a part of membership certificate 6 , but it is impossible under 
Assumption 2. We can say that a revoked member can not generate a valid 
group signature. 

Anonymity after revocation : A CRL certificate, however do not leak any infor- 
mation of group member. Therefore nobody can identify a group member 
who generated a signature on a message even after a group member was 
revoked. 

Unlinkability after revocation : In order to decide whether or not two signatures 
cr and o' based on different-time CRL CRL and CRL' were generated by the 
same member Mj whose certificate is in CRL', we need to decide whether 
or not log S4 log Tl T 2 = log g' 4 V' holds. However, this is impossible under 
the decision Diffie-Hellman assumption[12], and thus group signatures are 
unlinkable even after a group member was revoked. 



5.2 Efficiency 

We compare our scheme with previous schemes [3] from the viewpoints of both 
computational work and signature size in Table 1. Let P or q be 1200 or 160 bits, 
respectively. Here M denotes the computational work of a multiplication over an 
1200-bit modulus. We assume the binary method or the extended binary method 
to compute the exponentiation or multiple exponentiations [13], respectively. 

Table 1 shows that our scheme reduces both of signature size and verification 
work by about 1/3 than [3], maintaining the same security level. Furthermore, 
our scheme is slightly more efficient than even the group signature scheme based 
on known-order cyclic groups proposed by G. Ateniese and B. cle Medeiros [2], 
which does not satisfy the feature of revocability as mentioned in Section 1. 
Although revocability can be easily added in a simple way [3], it just increases 
both the signature size and computational work. Our scheme is optimized under 
such a condition that realizes all features, including the revocability. Therefore, 
our scheme is much better than a scheme combined [2] with the revocation 
function of [3]. 

Since our scheme uses the SPK of double discrete logarithms, it seems to 
require much computational work in contrast to group signature schemes with 
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revocation[5,6] which do not use SPK of double discrete logarithms. However, 
their group public key and signature size depend on the number of group mem- 
bers, and thus these schemes are less efficient than our scheme for large groups 
like of 1000 members. 



Table 1. Comparison of the efficiency 





Work 


Signature Size 


Sign 


Verification 


Signature 


[2] with [3] 


2020.3 x 10 3 M 


(2031.3+ 1.8it) x 10 a M 


101.6 KByte 


W 15- 


200n + 760 M 


200(n + 1) M 


380 + 20n KByte 


Our scheme 


705.1 x 10 3 M 


(700.4 + L8u) x 10 a M 


31.3 KByte 



(1) The number of group member denoted by n. 



6 Conclusion 

We have proposed the group signature with CRL-based revocation. In our 
scheme, the membership certificate is constructed by using improved Nyberg- 
Rueppel signature with appendix. As a result, the signature size and computa- 
tional work of signature generation and verification can be reduced because all 
secret data can be computed by using the knowledge of order of group. 

Our scheme uses the proof of knowledge involving double discrete logarithm 
in the same way as previous group signatures, which requires many computa- 
tional work. Furthermore our scheme uses a membership certificate based on a 
special assumption of Multiple DLP. Developing a membership certificate based 
on standard assumptions is a challenging open problem. Another interesting 
open question is to find the relation ship among the Multiple DLP, DLP. 
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Abstract. In this paper we make some observations on the zaps 
and their applications developed by Dwork and Naor [13]. We clarify 
the relations among public-coin witness indistinguishability (WI), 
public-coin honest verifier zero-knowledge (HVZK) and public-coin 
special honest verifier zero-knowledge (SHVZK). Specifically, we observe 
that the existence of zaps under the existence of one-way permutations 
actually strictly separates public-coin WI and public-coin SHVZK 
assuming MV BVV. We also show that public-coin HVZK does 
not implies WI assuming the existence of one-way permutations. For 
zap-based applications, we present an improved Dwork-Naor 2-round 
timed deniable authentication scheme that improves the communication 
and computation complexity of the original protocol presented by 
Dwork and Naor [13]. Specifically, in the improved protocol the first 
message (from the verifier to the authenticator) is independent on the 
message to be authenticated by the authenticator. 

Keywords: Zap, public-coin honest verifier zero-knowledge, deniable au- 
thentication, timed commitment, witness indistinguishability 



1 Introduction 

Zap, first introduced by Dwork and Naor [13], is itself a 2-rouncl public-coin 
witness indistinguishable (WI) proof system for MV . Zaps are a very power- 
ful cryptographic tool to significantly simplify many cryptographic tasks. As a 
notable example, it is used to achieve the first 2-round timed deniable authenti- 
cation scheme [13]. 

Deniable authentication first appears in [10,12], and is then formalized in [14]. 
Roughly speaking, a deniable authentication scheme is a public-key interactive 
authentication scheme in which an authenticator AP convinces a second party V, 
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7001358). 
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only accessing to AP ' s public-key, that AP is willing to authenticate a message 
m. However, different from the case of digital signatures, deniable authentication 
does not permit V to convince a third party that AP has authenticated m. 
That is, there is no “paper trail” of the conversation other than what could be 
produced by V alone. Several 4-round timed deniable authentication protocols 
appear in [14,15] and the first 2-round timed deniable authentication is presented 
by Dwork and Naor in [13]. 

We remark that before the emergence of zaps, when we use public-coin WI 
proofs in fulfilling cryptographic tasks we actually use public-coin special hon- 
est verifier zero-knowledge (SHVZK) proofs. Public-coin honest verifier zero- 
knowledge (HVZK) and public-coin SHVZK are introduced by Cramer, Damgard 
and Schoenmakers [5] and it is shown there that any public-coin SHVZK pro- 
tocol is also WI 1 . Roughly, a public-coin protocol is called honest verifier zero- 
knowledge if there is a simulator S such that the output of S on input x is com- 
putationally indistinguishable from the real transcript between honest prover 
and honest verifier on common input x. A public-coin protocol is called SHVZK 
if for any given random challenges of honest verifier the simulator S can take 
the given random challenges as inputs and output a transcript that is consistent 
with the given random challenges and is computationally indistinguishable from 
the real transcript between the honest prover and the honest verifier. We re- 
mark that public-coin SHVZK protocols are a very powerful cryptographic tool 
and are widely used in numerous important cryptographic applications. As a 
notable example, V-protocols, which are 3-round public-coin SHVZK protocols 
with some special (knowledge-extraction) soundness property, play a critical role 
in achieving secure digital signatures in the random oracle model (by using the 
famous Fiat-Slramir methodology [18]) and efficient electronic payment systems 
[4]. For a good survey of V-protocols and their applications, readers are referred 
to [7,4], 

1.1 Our Contributions 

In this paper, we clarify the relations among public-coin WI, public-coin SHVZK 
and public-coin HVZK. Specifically, we have the following observations: 

Observation 1. The existence of zaps (under the existence of one-way per- 
mutations) actually strictly separates public-coin WI and public-coin SHVZK. 
Specifically, we show that although any public-coin SHVZK is also public-coin 
WI [5], but the zap, which is itself a 2-round public-coin WI proof system for 
A fV and can be constructed under the existence of one-way permutations, can- 
not be public-coin SHVZK assuming A fV (Z BW. This observation is proven 
by showing that only languages in BW have a 2-round public-coin SHVZK 
protocol. 

1 The fact that any public-coin SHVZK protocol is also WI is proved in the Proposition 
1 of [5[. We note that the Proposition states that any public-coin honest verifier 
zero-knowledge (rather than any public-coin SHVZK) is WI. But the proof of the 
Proposition in [5] is actually for the public-coin SHVZK case. In this paper we show 
that public-coin HVZK does not necessarily imply WI. 




182 



Y. Zhao et al. 



Observation 2. Public-coin HVZK does not necessarily imply WI. Specifically, 
we show that under the existence of one-way permutations there exists a 2-round 
public-coin proof system for AfV that is public-coin HVZK but not WI. 

For the first zap-based 2-round Dwork-Naor timed deniable authentication 
protocol [13], we have the following observation: 

Observation 3. In the first message (from the verifier to the authenticator) of 
the 2-rouncl timed deniable authentication scheme [13], the verifier needs to send 
a public-key encryption (using the authenticator’s public-key) of the message, 
m, to be authenticated by the authenticator. This implicitly means that the 
first (verifier’s) message depends on the message to be authenticated by the au- 
thenticator. Since in practice the message to be authenticated is normally large 
and public-key encryption may also be time-consuming so the inclusion of the 
public-key encryption of m may increase both the communication complexity 
and the computation complexity. In this paper we observe that the above de- 
pendence in the first verifier message can be avoided by using collision-resistant 
hash functions. 

2 Preliminaries 

In this section we recall the definitions and the cryptographic tools used in this 
paper. 

We use standard notations and conventions below for writing probabilistic al- 
gorithms and experiments. If A is a probabilistic algorithm, then A(x\, X 2 , • • • ; r) 
is the result of running A on inputs xi,X 2 ,--- and coins r. We let y ■£- 
A(xi, X 2 , ■ ■ ■ ) denote the experiment of picking r at random and letting y be 
A(x i, X 2 , ■ ■ ■ ; r). If S is a finite set then x t— S is the operation of picking an 
element uniformly from S. If a is neither an algorithm nor a set then x <— a is 
a simple assignment statement. 

Definition 1 (interactive proof system). A pair of probabilistic machines, 
(P, V), is called an interactive proof system for a language L if V is polynomial- 
time and the following conditions hold: 

— Completeness. For every x € L, Pr[(P, V)(x) = 1] = 1. 

— Soundness. For all sufficiently large n and every x f L of length n and 
every interactive machine B (even with unbounded computational power), 
Pr[(P, V){x) = 1] is negligible in n. 

An interactive protocol is called a public-coin system if at each round the 
prescribed (honest) verifier can only toss coins (random string) and send their 
outcomes to the prover. An interactive protocol is called an argument if the 
soundness is only guaranteed for probabilistic polynomial-time (PPT) malicious 
provers. 

Definition 2 (public-coin HVZK and SHVZK). Let (P, V) be a public-coin 
interactive protocol (argument or proof) for a language L £ MV in which the 
prescribed honest verifier V is supposed to send m, m ^ 1, random challenges, 
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and let Rl be the corresponding AfV witness relation for L. Denote by Ci, 1 < 
i < m, the i-th random challenge of the honest verifier and on, 1 < i < m + 1 
the i-th message of honest proven. We denote by viewy ( ' w \x) a random variable 
describing the transcript of all messages exchanged between the honest verifier 
V and the honest proven P in an execution of the protocol on common input x 
while P has the auxiliary input w. 

Such a public-coin protocol is called honest verifier zero-knowledge ( HVZK ) 
if there exists a probabilistic polynomial time simulator S such that for 
any sufficiently large x and its witness w (satisfying (x, w) £ Rl) the 
following ensembles are computationally indistinguishable: { < S'(a;)} a:e L and 
{vieWy ( ' w \x)} x& L- This public-coin protocol is called special honest verifier 
zero-knowledge (SHVZK) if for any sufficiently large x and for any given 
random challenges of the honest verifier, Ci,C2>*-- ,c m , the following en- 
sembles are computationally indistinguishable: {S(x,Ci,C2,- ■ ■ ,c m )} xe L and 
{vieWy ( ' w \x)} x ^L, where {S(x,c\,C2, - ■ ■ ,c m )} xe L is of the following forms: 
(x, Oi\, ci, C2, • • • ,a m ,c m ,a m +i) for the case that the prover sends the first 
message, or (x, ci, cti, C2, 0:2, ■■ ■ ,c m , a m ) for the case that the verifier sends the 
first message. 



Definition 3 (witness indistinguishability WI). Let ( P , V) be an interac- 
tive proof system for a language L £ AfV, and let Rl be the fixed A fV wit- 
ness relation for L. That is x £ L if there exists a w such that ( x , w ) € Rl- 
We denote by vievjyij^(x) a random variable describing the transcript of all 
messages exchanged between a (possibly malicious) verifier V* and the honest 
prover P in an execution of the protocol on common input x, when P has aux- 
iliary input w and V* has auxiliary input z. We say that (P, V) is witness 
indistinguishability for Rl if for every PPT interactive machine V* , and every 
two sequences W 1 = {w x } x& l and W 2 = {w 2 } x& l, so that, (x, w x ) £ Rl and 
(x, w 2 ) £ Rl, the following two probability distributions are computationally in- 
distinguishable by any non-uniform PPT algorithm: {a;, vieiVyijfJ} xe L, ze{o, l}* 
and {x, vieWy ( ^} xeL ,ze{ o,i}*- 



Definition 4 (zap [13]). Under a security parameter n, a zap is a 2-round 
public-coin witness-indistinguishable interactive proof system for proving mem- 
bership oftGL of length n, where L is a language inAfV. Furthermore the first 
round (verifier to prover) message, denoted p which is assumed to be a random 
string, can be fixed once and for all common inputs of length n . Denote by n the 
second-round (prover to verifier) response. Formally, a zap satisfies the following 
conditions: 

— Completeness. Given t and a witness w £ Wl(x), and a first-round p, the 
prover, running in time polynomial in \t\, can generate a proof n that will be 
accepted by the verifier with overwhelming probability. 
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— Soundness. With overwhelming probability over choice of p, there exists no 
t' (j L and round-2 message n such that verifier accepts (t',p,n). 

— Witness-Indistinguishability. Let w,w' £ lkz,(t) for t £ L. Then V p, the 
distribution on it when the prover has input (t, w) and the distribution on n 
when the prover has input ( t , w') are non-uniform polynomial-time indistin- 
guishable. 

We remark that zaps are a very powerful cryptographic tool to greatly sim- 
plify many cryptographic tasks, such as deniable authentication schemes, oblivi- 
ous transfer, verifiable pseudorandom generator, concurrent-zero-knowledge, re- 
settable zero-knowledge, quasi-polynomial time simulatable zero-knowledge and 
so on [13,16,24,26], 

Definition 5 (non-interactive zero-knowledge NIZK). Let NIP and 

NIV be two interactive machines and NIV is also probabilistic polynomial-time, 
and let NIaLen be a positive polynomial. We say that (NIP, NIV) is an NIZK 
proof system for an NT language L, if the following conditions hold: 

— Completeness. For any x £ L of length n, any a of length NIaLen(n), and 
NT -witness w for x, it holds that 

Pr[77 NIP(a, x, w) : NIV (a, x, 77) = YES\ = 1. 

— Soundness. Vx L of length n, 

Pr[cr A {0, 1 }Ni*Len(n) . 3 n st NIV(a,x,II) = YES\ is negligible in n. 

— Zero-Knowledgeness. 3 a PPT simulator NIS such that, V sufficiently large 
n, Vx £ L of length n and NT -witness w for x, the following two distribu- 
tions are computationally indistinguishable: [(cr / , 77') < — NIS(x) : (a 1 , II 1 ] 
and [a ^ {0, l} JV/<7ie "(") ; 77 A NIP(a , x, w) : (a, 77)]. 

Non-interactive zero-knowledge proof systems for NT can be constructed based 
on any one-way permutation [17], An efficient implementation based on any one- 
way permutation is presented in [21] and readers are referred to [8] for recent 
advances of NIZK. 

Definition 6 (NIZK proof of knowledge [9]). An NIZK proof system 
(NIP, NIV) for a language L £ NT with witness relation Rl (as defined above) 
is NIZK proof of knowledge (NIZKPOK) if there exists a pair of PPT machines 
(E\, E 2 ) and a negligible function £ such that for all sufficiently large n: 

— Reference-String Uniformity. The distribution on reference strings produced 
by Ei(l n ) has statistical distance at most e(n) from the uniform distribution 
on (0,1] N I <rLen{n)_ 

— Witness Extractability . For all adversaries A, we have that Pr[Expt^(n) = 
1] ^ Pr[ExptA(n) = 1]— e(n), where the experiments Expt^n) and Expt^(n) 
are defined as follows: 
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NIZK proofs of knowledge for A fV can be constructed assuming the existence of 
one-way permutations and dense secure public-key cryptosystems [9]. 

Definition 7 (deniable authentication). A deniable authentication scheme 
is a public-key interactive protocol in which an authenticator AP convinces a 
verifier V who only has access to AP ’s public-key that AP is willing to au- 
thenticate a message m. However, deniable authentication does not permit V 
to convince a third party that AP has authenticated m. Specifically, a deniable 
authentication protocol should satisfy: 

— Completeness. For any message m, if the prover (authenticator) and the 
verifier follow the protocol for authenticating m, then the verifier accepts. 

— Soundness (Existential Unforgeability Against Chosen Message Attack). Sup- 
pose that, the copies of AP are willing to authenticate any polynomial num- 
ber of messages mi,iri 2 , ■ ■ ■ , which may be chosen adaptively by an adver- 
sary A. We say that A successfully attacks the scheme if a forger C, un- 
der control of A and pretending to be AP, succeeds in authenticating to a 
third party D ( running the protocol of the original verifier V) a message 
m ^ nii,i = 1,2,- The soundness requirement is that all probabilistic 
polynomial time A can succeed with at most negligible probability. 

— Deniability (zero-knowledge) . Consider an adversary A as above and suppose 
that the copies of AP are willing to authenticate any polynomial number of 
messages. Then for each A and each message m to be authenticated there ex- 
ists a polynomial time simulator that outputs an indistinguishable transcript. 

Definition 8 (CCA2-secure non- malleable public-key cryptosystem). 

Let n = {K,,£,V) be a public-key encryption scheme and let A = (A\, A 2 ) be an 
adversary. For k € N define 

ADVyyj (k) = f Pr[Expt Aj77 (/c) = 1] - Pr[Expt j4 n (A;) = 1] 

where 

Expt A,n{k) ■■ 

(pk,sk)i-!C( l fe ) 

(M, s) <- A^ ski '\pk) 
x M 
y t- £ p k(x) 

(R^y) ^ 2 \ s >y)> 

where y is a vector 
x «- T>sk(y) 

return 1 iff (y (f y) A i?(x,x) 



Expt A ,n(k) ■■ 

(pk, sk ) i- AC( l k ) 

(M,s) <- Af^ipk) 
x, x «— M 
y <- £ P k{x) 

(R,y) ^ A^\s,y), 
where y is a vector 
x <- V sk {y) ~ 

return 1 iff (y ^ y) A R(x, x) 
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We say that II is secure against chosen-ciphertext attacks in the post-processing 
model if for every polynomial p(k): if A runs in time p(k), outputs a valid mes- 
sage space M sampleable in time p(k), and outputs a relation R computable in 
time p(k), then ADV A,n(k) negligible. It is understood that A 2 is not allowed 
to ask its oracle for the decryption of the challenge ciphertext y. 

The above definition is almost verbatim from [1,2]. There are another equiva- 
lent definition of non-malleable public-key cryptosystem secure against clrosen- 
ciphertext attack in the post-processing model (CCA2) [1,2,22]. 

Definition 9 (indistinguishability of CCA2-secure encryptions). A 

public-key encryption scheme (Q,£,V) is indistinguishable under CCA2 attacks 
if for every pair of probabilistic polynomial-time oracle machines A = (Ai,A 2 ), 

|Pr[ExptA(0) = 1] - Pr[Expt A (l) = 1]| < p(n) 

where p is a negligible function and ExptA(&) is defined as follows for b G {0, 1}: 

1. (pk,sk) G- Q( l n ): generate a pair of public key and a secret key. 

2. (mo, m\, a) G- A® sk (pk), where \mo\ = |mi|: Ai receives a decryption oracle 
and outputs a pair of plaintexts for the challenge, and state information a 
for A 2 . 

3. c <— £ p k(m,b): compute the challenge ciphertext. 

D~' c 

4- b' G- A 2 sk ( c , a): A 2 receives the challenge ciphertext, access to a (restricted) 
decryption oracle (A 2 can not ask c to the decryption oracle as a query) and 
the state information a from Ai , and outputs a guess b' for b. 

5. Output b' . 

The general construction of CCA2-secure public-key cryptosystem is first 
achieved by Dolev, Dwork and Naor [10] and was refined by Salrai and Lindell 
[25,22] by following the technique introduced by Naor and Yung in [23] and using 
simulation sound non-interactive zero-knowledge [25,8,22]. The first practical 
CCA2-secure public-key cryptosystem is achieved by Cramer and Slroup [6]. A 
good survey for this field can be found in [22] . 

2.1 Using Time in the Design of Protocols 

In the following, we introduce the (a, (3) time assumption for cryptographic 
protocol designs and the timed commitment scheme. 

(a, (3) (where a < (3) time assumption is introduced in [14] which essentially 
assumes that all good parties have clocks satisfying the following constraint: for 
any two (possibly the same) non-faulty parties P\ and P 2 , if Pi measures a 
elapsed time on its local clock and P 2 measures (3 elapsed time on its local clock, 
and P 2 begins its measurement in real time after Pi begins, then P 2 will finish 
after Pi does. 

Recent works have shown the power of time in the design of cryptographic 
protocols through the use of an (a, (3) assumptions [11,12,14,15,3,13,19]. In this 
work, we implicitly use time via the timed commitment introduced in [3] . 
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The following description of timed commitment is almost verbatim from [3] . 
Let £ be a negligible function, a (T, t, e) timed commitment scheme for a string 
y £ {0, l} n enables Alice (the committer) to give Bob (the verifier) a commit- 
ment to the string y. At a later time Alice can prove to Bob that the committed 
string is y. However, if Alice refuses to reveal y , Bob can spend time T to forcibly 
retrieve y. Alice is assured that within time t on a parallel machine with poly- 
nomially many processors, where t < T, Bob will succeed in obtaining y with 
probability at most e. Formally, a (T, t, e) timed commitment scheme consists of 
three phases: 

Commit phase: To commit to a string y £ {0, l} n Alice and Bob execute a 
protocol whose outcome is a commitment string £ which is given to Bob. 
Open phase: At a later time Alice may reveal the string y to Bob. They execute 
a protocol so that at the end of the protocol Bob has a proof that y is the 
committed value. 

Forced open phase: Suppose Alice refuses to execute the open phase and does 
not reveal y. Then there exists an algorithm, called forced-open, that takes 
the commitment string f as input and outputs y and a proof that y is the 
committed value by computing a moderately hard function. Specifically, for 
every valid commitment f, it is possible, through moderately hard computa- 
tion, to recover a pair (y, 7 r) such that 7r is an easily checked witness to the 
fact that f is a commitment to y. The set of valid commitments is in A fV: 
for every valid commitment f there is a witness it to the statement “f is a 
valid commitment to a string that can be recovered through the forced open 
phase '" . The running time of the algorithm is T. We remark that the forced 
open time is relatively large compared to the time of all other operations 
in the protocol (such as, constructing f, verifying a correctly decommitted 
value, verifying future recoverability, etc.). Thus, we think of all other oper- 
ations as “easy” while recovery is “moderately hard”. 

And, the commitment scheme must satisfy a number of security constraints: 

Binding: During the open phase, Alice can not convince Bob that ( is commit- 
ment to y' yf y. 

Soundness: At the end of the commit phase Bob is convinced that, given f, 
the forced-open algorithm will produce the committed value y in time T. 
Privacy: Every PRAM algorithm A whose running time is at most t for t < T 
on polynomially many processors, will succeed in distinguishing y from a 
random string r, given the transcript of the commit protocol as input, with 
advantage at most e. In other words, 

|Pr[A( transcript, y) = “yes”] — Pr[A( transcript, r) = “yes”]| < e(n) 



where the probability is over the random choice of y and r and the random 
bits used to create f from y during the commit phase. 
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3 Public-Coin WI vs. Public-Coin HVZK and 
Public-Coin SHVZK 



In this section, we clarify the relations among public-coin WI, public-coin HVZK 
and public-coin SHVZK. It is well-known that any public-coin SHVZK protocol 
is also public-coin WI [5] . In this section, we show that the existence of zaps for 
NT (under the existence of one-way permutations) actually strictly separates 
public-coin WI and public-coin SHVZK. We also show that public-coin HVZK 
does not imply public-coin WI assuming the existence of one-way permutations. 



Theorem 1. Assuming one-way permutations exists and NT BTT , there 

exists a public-coin proof system for NT that is WI but not public-coin special 
honest verifier zero-knowledge. 

Proof. We first note that the zap [13] is itself a 2-round public-coin WI proof 
for NT and can be constructed under the assumption that one-way permuta- 
tions exist. Then all the left is to show that zaps cannot be public-coin SHVZK 
assuming NT < l BTT. Actually, using the idea of [20] we can show the following 
lemma. 

Lemma 1. Let L be a language for which there exists a 2-round public-coin 
SHVZK proof system, then L £ BTT. 

Proof. For any language L that has a 2-round public-coin SHVZK proof system, 
suppose S be the special honest verifier zero-knowledge simulator. We construct 
a BTT machine M that decides L as follows. 

On common input x, machine M randomly chooses a random string r and 
runs S(x,r). If S(x,r) outputs an accepting conversation in polynomial time 
then M decides x £ L, otherwise, x ^ L. 

Completeness of M: If x £ L, then according to the completeness of the 
underlying 2-round public-coin SHVZK proof system, the conversation between 
honest prover and honest verifier on x will be an accepting one with overwhelm- 
ing probability. Then according to the definition of public-coin SHVZK, S(x,r) 
will also generate an accepting conversation in polynomial time with overwhelm- 
ing probability, and so M decides correctly x £ L with overwhelming probability. 

Soundness of M: If x ^ L, then S(x,r) cannot generate an accepting 
conversation in polynomial time with non-negligible probability since otherwise 
it will violate the soundness of the underlying 2-round public-coin SHVZK proof 
system. This means that if x ^ L then M will correctly decide x ^ L with 
overwhelming probability. □ 

The theorem follows from the above lemma. □ 

Although 2-rouncl public-coin SHVZK proofs cannot exist for non-trivial 
languages (out of BTT), there do exist 2-round public-coin HVZK proofs for 
NT assuming the existence of one-way permutaions. Furthermore, such 2-round 
public-coin HVZK proofs cannot be public-coin WI. 
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Theorem 2. Assuming the existence of one-way permutations, there exists a 2- 
round public-coin proof system for NT that is public-coin HVZK but not public- 
coin WI. 

Proof. We first note that there exists a transformation that from any 2-round 
public-coin HVZK protocol for a language L produces another 2-round public- 
coin protocol for same language L that is still HVZK but not WI. Given a 
2-round public-coin HVZK protocol, the idea is just to modify the given HVZK 
protocol so that the prover outputs the witness if the verifier’s first message are 
all zeros. This modification does not hurt the ZK property with respect to honest 
verifier but it’s certainly not WI. 

Then all the left is to present a 2-round public-coin HVZK protocol for NT 
under the assumption that one-way permutations exist. Let (NIP, N IV) be 
a non-interactive zero-knowledge proof system for NT that can be constructed 
assuming the existence of one-way permutations. Consider the following 2-round 
public-coin proof system ( P , V) for NT: 

Round 1 . On common input x of length n, V randomly selects a string r from 

{0, 1] NlaLen(n) and sends r to p. 

Round 2. Using r as the common random string, P gives back a non-interactive 
zero-knowledge proof that there exists a w such that (x,w) € Rl ■ Specifi- 
cally, P sends back NIP(x,r) to V. 

The completeness and soundness of (P, V) is followed from the completeness 
and soundness of the underlying NIZK system. 

(P, V) is public-coin HVZK by observing that the non- interactive zero- 
knowledge simulator of (NIP, N IV) is also an honest verifier zero-knowledge 
simulator for (P, V). □ 

4 Improved Two-Round Timed Deniable Authentication 

We now describe our improved 2-round deniable authentication scheme. We re- 
mark that the following three cryptographic tools play a critical role in the 
original Dwork-Naor 2-round timed deniable authentication [13]: non-malleable 
public-key cryptosystem secure against chosen-ciphertext attacks in the post- 
processing model, zap and timed commitment. Besides the above three crypto- 
graphic tools, in this paper we also use collision-resistant hash functions which 
map strings of different lengths to short, fixed-sized output. Informally, a func- 
tion H : {0, 1}* —> {0, l} 1 is collision-resistant if it is infeasible for any (non- 
uniform polynomial-time) adversary to find two strings x and x' such that 
H(x) = H(x'). Collision-resistance is a basic property of cryptographic hash 
functions, such as MD5 or SHA-1. We remark that hashing is a much faster op- 
eration in comparison with public- key encryption and even with block ciphers. 

Let AP be the authenticator and V be the verifier. The AP has a public- 
key Ei, E 2 , p, H, where E\ and E 2 are public encryption keys chosen according 
to a public-key cryptosystem generator that is non-malleable against chosen- 
ciplrertext attacks in the post-processing mode, p is a first-round message of a zap 
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and H is a collision-resistant hash function: {0, 1}* —> {0, 1}™. HP’s private-keys 
are (D i, D 2 ) corresponding to (Pi, E 2 ). The verifier V uses a timed commitment 
scheme denoted TC. 

Round 1. The verifier chooses random strings yo,yi,r from {0, 1}" and sends 
to the authenticator c Gr E\(r) and timed commitments £ 0 £r TC(yo) and 
Ci Gr TC(y 1 ). In addition, using p, the verifier gives a zap n that at least 
one of the £; is valid. Finally, the verifier also sends to the authenticator a 
first-round message p' for a zap. 

Round 2. The authenticator checks the zap (p, 7 r) and aborts if verification 
fails. Otherwise, let to be the message to be authenticated, the authenticator 
computes H(m ) and sends to the verifier to, 77 Gr Ei(r®H(m)), 6 Gr p 2 (s) 
for a randomly chosen s in {0, l} n . Using p', the prover sends a zap it' that 
at least one of the following holds: 77 G E\{r ® H{m)) or s £ {yo,yi}- The 
witness used in creating tt' is the set of random bits in creating 77 . 

The verifier V accepts if and only if both (1) the zap (p', 7 r') is accepted and (2) 
HP’s response is received in a timely fashion, satisfying in the following (a, (3) 
timing constraint. 

(a, P)- Timing constraint: HP’s Round 2 message must arrive within time 
a on U’s local clock from the time at which V sent its Round 1 message, a and 
(3 are chosen to satisfy a < (3 and [3 + 7 < T, where the value T is the time 
below which it is safe to assume that the timed commitment cannot be broken, 
even by a PRAM, and 7 is an upper bound on the time it takes to create a zap 
by a program that is given a witness. For completeness, a must be sufficiently 
large to permit the necessary computation by AP, and the round-trip message 
delay. 

Theorem 1. The above protocol is a 2-round, timed deniable authentication 
scheme. 

Proof. 

The completeness can be easily checked. Here we only focus on soundness 
and deni ability of the scheme. 

Soundness. After having asked the authenticator to authenticate any poly- 
nomial number of messages TOi,TO 2 ,---, suppose the adversary is trying to 
forge a message to, to yf to,,* = 1,2,---. Then, for a Round 1 message 
(Ei(r),TC(y 0 ),TC(yi),Tr, p') received from the verifier, there are three cases 
for the adversary to successfully respond it: 

Case 1. H(m ) = for some * = 1, 2, • • • . 

Case 2. H{m) yf H(mi),i = 1,2,---, and the zap {p',Tt') is created by using 
H (to) ®r as the witness. 

Case 3. H{m) yf H(mi),i = 1,2,---, and the zap {p',^') is created by using 
yi,i G {0,1}, as the witness. 

It is clear that the probability for the adversary succeeds in Case 1 is negli- 
gible due to the collision-resistance property of the hash function used. By the 
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non-malleability of E\ the adversary also cannot compute out H{in ) © r, oth- 
erwise, the adversary can completely break E\. So the probability of Case 2 is 
also negligible. In the following, we focus on the analysis of Case 3. 

According to above arguments, we know that given that the adversary suc- 
cessfully provides the zap (p',n'), with overwhelming probability it is the case 
that s = yi for some i £ {0, 1}. Furthermore, the adversary responds in a timely 
way satisfying the timing constraints specified above. Then, together the adver- 
sary and the real authenticator (who knows the corresponding decryption-key of 
E 2 , D 2 ) we can construct a non-uniform PPT algorithm that breaks the timed 
commitment scheme TC with probability negligibly close to 1/2 as follows: given 
TC(y), choose y' at random and give TC(y'); then, using the witness based on 
y', give a zap that at least one of TC(y) or TC(y') is recoverable. By definition, 
such a zap can be constructed within time 7 . If the adversary successfully gives 
back the Round 2 message (m, i), S, p', n') within time a, then with probability 
negligibly close to 1/2 we will get y by decrypting <5. This means that TC has 
been broken in time at most (3 + 7 < T, which contradicts the privacy property 
of the timed commitment used. Thus, the probability of Case 3 is also negligible. 

D eniability . For each message m to be authenticated, after receiving 
(Ei(r),TC(yo),TC(yi),Tr, p') from the verifier the simulator first check the zap 
(p, 7 r) and aborts if verification fails. Otherwise, the simulator freezes the clocks 
and extracts from TC(yo) and TC(yi) either yo or 17 by using the forced-open 
algorithm of the timed commitment. It then creates E\{r’) for a random r' and 
creates £ 2 ( 7 / 7 ) and uses it as a witness to a zap 7 r' that 77 £ E\(H(rn) © r) or 
s = Hi- 

Now consider four classes of transcripts: they differ according to the values 
encrypted by E\ and E 2 and which witness is used in creating the zap n': U(?n)© 
r or yi. 

1. (Ei{H{m) © r) , E 2 (s) , tv' (H (m) © r)), where s is a random string and 
ir'(H(m) © r) denotes that the zap 7 r' is created using H{m) © r as the 
witness. 

2. (Ei(H(m) © r),E 2 (yi),n'(H(m) © r)). 

3. (£i(£(m) © r) , E 2 (yi) , n' (yi)) . 

4. (E 1 (r , ),E 2 (y i ), n'(yi))- 

The real transcripts are the first class. The simulator outputs the fourth 
class. Class 1 is indistinguishable from Class 2 according to the indistinguisha- 
bility of public-key cryptosystem secure against clrosen-ciphertext attacks in 
the post-processing model. For the same reason, Class 3 is also indistinguish- 
able from Class 4. Class 2 and Class 3 are indistinguishable by the witness- 
indistinguishability of zaps. Hence Class 1 and Class 4 are computationally in- 
distinguishable. □ 

We comment that the main difference between our protocol and the original 
Dwork-Naor scheme is that in the original protocol of Dwork and Naor [13] the 
verifier sends £i(mor) rather than only Ei(r) as in our protocol. This means the 
dependence of the first verifier message in the original scheme (on the message 
to be authenticated) is avoided. 
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Abstract. Different security measurements for a steganographic sys- 
tem, i.e. security (detectability), robustness and secrecy (difficulty of ex- 
traction), are discussed in this paper. We propose a new measurement for 
the security of stegosystems using variational distance which can upper 
bound the advantage for passive attackers. It is proved that the hiding 
capacity, which is also the measurement for robustness, is limited by 
security. We think the extracting attack essentially is a kind of crypt- 
analysis and define the secrecy of stegosystems as an analogue of secrecy 
of cryptosystems. The relations of secrecy with capacity and security are 
analyzed in the terms of unicity distance. And it is shown that there 
is a tradeoff between secrecy and capacity while there is some kind of 
consistency between secrecy and security. 



1 Introduction 

This paper is about steganograplry which is the oldest branch of information 
hiding. The scientific study of steganograplry began with Simmons’ “Prison- 
ers’ Problem” [1], The survey about the history and current development of it 
can be found in [2] and [3]. A general model of a steganographic system (i.e. 
stegosystem) can be described as follows. The embedded data M is the message 
that Alice wants to send secretly to Bob. It is hidden in an innocuous message 
X, usually named cover-object, in the control of a stego-key K 1 producing the 
stego-object X. And the receiver can extract M from X with the stego-key K. 

The attacks to a stegosystem mainly include passive attack, active attack, 
and extracting attack. A passive attacker only wants to detect the existence of 
the embedded message, while an active attacker wants to destroy the embedded 
message. The purpose of an extracting attacker is to obtain the message hidden 
in the stego-object. So there are three kinds of security measurements for the 
different attackers respectively, i.e. detectability, robustness and difficulty of ex- 
traction. Usually the problem of steganograplry only concerns the detectability 
so in many literatures detectability is referred to as the security of a stegosystem. 
In this paper, we also call the detectability as security of a stegosystem and the 
difficulty of extraction as secrecy of it. But so far the definitions of the three se- 
curity measurements are still tangly and relations of them are still unclear. The 
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main purpose of this paper is just to distinguish their definitions and analyze 
relations between them. 

So far there have been several literatures that define the security (detectabil- 
ity) of stegosystems, such as [4, 5, 6, 7], and the one of C.Cachin [5] is most in- 
fluential. Cachin formulates the steganograplry problem as a hypothesis testing 
problem and defines the security using the statistic distance between the cover- 
object and stego-object which indeed catches the key of detectability. But, he 
uses the relative entropy as the security measurement which, to some extent, 
seems not appropriate. According to Cachin’s definition the stegosystem is e- 
secure when the relative entropy D(X\\X) < e, and perfectly secure when £ = 0. 
Supposing the false alarm probability (the probability of a cover-object being 
mistaken as a stego-object) equals zero, Cachin uses the relative entropy to es- 
timate the lower bound of missing probability (the probability of a stego-object 
being mistaken as a cover-object). However, it is evident that the adversary will 
not use a rule such that he makes the false alarm probability very small, because 
this means he will leak the illegal messages in a large probability. For instance, in 
Cachin’s model, when the stegosystem is perfect security, the probability of the 
adversary finding the stego-object equals zero. But the fact is that even guessing 
randomly, he could success with probability 

S.Katzenbeisser and F.A.Petitcolas [8] defines security in computational set- 
tings, and their definition still need a security measurement which is referred as 
to the advantage for a adversary, i.e. the probability of the adversary’s success- 
ful detection minus This description for stegosystem’s security is reasonable, 
but it is a description in words. And the definition of R.Chandramouli and 
N.D. Memoir [9] can be though of as a mathematic version of description in [8], 
and their definition is related with the strategy of attackers. In fact we hope 
there is a metric that can reflect the adversaries’ advantage, and in this paper 
we will propose such a metric with variational distance. 

Information hiding with active attackers were analyzed by P.Moulin and 
J. A. O’ Sullivan [10] and M.Ettinger [11]. They defines the robustness using “hid- 
ing capacity” . Robustness is mainly concerned in watermarking problem, but as 
the measure of efficiency, capacity is also important for steganograplry. I.S.Mos- 
koxitz et al. [7] proposed a two dimension security measure for steganograplry, 
i.e. capability = (P, D) where P is the payload size and D is detectability thresh- 
old. In this paper, we prove that the capacity is limited by detectability, and for 
stegosystems with active attackers this shows a tradeoff between the security 
and robustness. 

The security and robustness have been greatly concerned. However there is 
scarcely any literature about extracting attacks. We only know that R.Chandra- 
mouli ever studied how to extract the hidden message for some kind of scenario 
in [12], and J.Fridriclr et al. recently presented a methodology for identifying the 
stego-key in [13]. In fact, for most of stegosystems the message is asked to be 
encrypted before it is embedded into the cover-object, so the secrecy is guar- 
anteed by the cryptographic algorithm. So stegoanalysts only concern detection 
and think extraction is the task of cryptanalysts, while the latter only process 
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encrypted data. But how to extract the hidden message is a very difficult prob- 
lem itself. We think the extracting attack essentially is a kind of cryptanalysis. 
When facing the model of “encrytion+hiding” , a cryptanalyst has to analyze a 
“multiple cipher” : he should extract the hidden messag (the ciphertexts) from 
stego-objects, and then extract the plaintexts from the hidden message. In this 
paper, we distinguish the secrecy of steganography from that of cryptography. 
If the message has been encrypted, the extraction attacker is successful as long 
as he can extract the cipertexts. So the secrecy of steganography is just the 
difficulty of extraction. Because extracting attack is a kind of cryptanalysis, we 
define the secrecy of steganography imitating Shannon’s definition for uncon- 
ditional security of cryptosystems [14], i.e. measuring the secrecy with mutual 
information I(M\X ) or I(M\ X, X). And we will analyze the relations between 
security, capacity and secrecy. 

The rest of this paper is organized as follows: Section 2 defines the security 
of stegosystems with variational distance and estimates the upper bound of the 
advantage for passive adversaries. Section 3 proves the tradeoff between the 
security and capacity. Section 4 defines the perfect secrecy for only stego-object 
extracting attack and known cover-object extracting attack respectively, and 
analyzes the relations between capacity, security and secrecy in terms of unicity 
distance. The paper concludes with a discussion in Sect. 5. 

2 Security of Stegosystems 

2.1 Notations and Statement of Problem 

We use the following notations. Random variables are denoted by capital letters 
(e.g. X), and their realizations by respective lower case letters (e.g. x). The 
domains over which random variables are defined are denoted by script letters 
(e.g. X). Sequences of n random variables are denoted with a superscript n (e.g. 
X n = (Xi, X 2 , ■ ■ ■ , X n ) which takes its values on the product set X n ). The 
probability mass function (p.m.f.) of random variable X is denoted by P x (x), 
and when no confusion is possible, we drop the subscript. 

Definition 1. ^“*1 Let X and X are two random variables on a discrete universe 
X , then the variational distance between X and X is defined to be 

VD(X, X) = max \P~(S) - P X (S)\ . 



Lemma 1. Let X and X are two random variables on a discrete universe 
X , andjf is another discrete universe, then for any function f : X — >■ T, 
VD{f(X),f(X))<VD(X,X) . 

In this paper, X stands for cover-object, taking values in X . M denotes the 
hidden message, K is the stego-key (embedding key). X, which is also defined 
in X , denotes the stego-object. Here hidden message is what will ultimately 
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be embedded into the cover-object which usually is encrypted data. And the 
stego-key only refers to the embedding key excluding the encrytion key. E is the 
embedding algorithm, with which the sender Alice embeds m into x to get x 
using k, i.e. x = E(x, in 1 k). And D is the extracting algorithm used by receiver 
Bob, which satisfies m = D(x,k) = D(E(x,m,k),k). We denote a stegosystem 
by a set with 6 elements: stegosystem(X,X,M,K,E,D). 

The present paper mainly follows the view of Cachin [5] who formulated the 
steganograplry problem with passive attackers as a hypothesis testing problem. 
Alice, who maybe uses a stegosystem, sends data to Bob. The passive adversary 
Wendy observes the data and makes a hypothesis testing. Here the original 
hypothesis H 0 is that the data is generated according to X, i.e. Alice sent a cover- 
object. And the opposite hypothesis Hi is that the data is generated according 
to X, i.e. Alice sent a stego-object. The probability that Wendy fails to detect a 
stego-object is called missing probability and denoted by j3. And the probability 
that she thinks of a cover-texts as a stego-object is called false alarm probability 
and denoted by a. 

2.2 Security of Stegosystem 

Variational distance can reflect the statistic difference of two probability distri- 
butions as relative entropy does. What’s more, Variational distance is a distance 
in the sense of mathematics and take values between zero and one. So with vari- 
ational distance as the measurement, we can compare the security of different 
stegosystems. We define the security of a stegosystem as follows. 

Definition 2 . A stegosystem(X , X 1 M, K, E, D) is called e-secure, if 

VD(X,X) < e . 

And when e = 0, the system is called perfectly secure. 

With relative entropy as the security measure, Cachin [5] yields a lower bound 
on the missing probability (3, i.e. if D(X\\X) < e and the false alarm probability 
a = 0, then f3 > 2~ s . But, as the analysis in the Sect. 1, what we need is the 
estimation about the advantage for adversaries. To do this, we define the event 
of successful attack as 

SUCC = {H 0 is true and Wendy accepts H 0 } 

U {Hi is true and Wendy accepts Hi} . 

And its complementary event is defined to be 

SUCC = {H 0 is true and Wendy accepts Hi} 

U {Hi is true and Wendy accepts H 0 } ■ 

It is reasonable for Wendy to suppose the prior probability of both Hq and 
Hi is that P(Hq) = P(Hi) = \ , because the event that which kind of object 
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Alice will send is random for Wendy who wants to get some advantage through 
the observed data. So the advantage for the adversary (Adv) is defined by 

Adv= \P(SUCC)- *| . (1) 

As for Adv, using the security measurement in definition 2 we can yield the 
following result. 

Theorem 1. If a stegosystem(X , X, M, K, E, D) is e-secure, then the advan- 
tage for the adversary satisfies Adv < |. And when the system is perfectly secure, 
i.e. s = 0, then Adv = 0. 

Proof. Note that the probabilities of two type errors made by 

Wendy are just that a = P{ Wendy accepts H\\Hois true}, and 
(3 = P{Wendy accepts Ho\Hi is true}. 

Combing these two equalities with the fact P(Hq) = P(Hi) = f. we have 
P(SUCC) = \(a + (3) and then 

P(SUCC) = l- l -(a + f3) . (2) 

The probabilities of the two type errors, a and (3 can induce two 0—1 random 
variables as follows: 



0 1 

X a 1 — a 

X' 1-/3 (3 



X and X can be get through a same function from X and X, so using Lemma 
1 we can obtain that VD(X ,X)< VD(X,X), i.e. 1 — £<a + /3<l + £, which 
with (2) implies that \ — § < P(SUCC) < \ + i.e. Adv < § ■ □ 

Theorem 1 shows that if a stegosystem is £-security the advantage for a pas- 
sive adversary using any decision rule over the adversary guessing randomly will 
not larger than |. And if the stegosystem is perfectly secure, then any deci- 
sion rule used by the adversary will not more effective than guessing randomly. 
That means that the knowledge the adversary get through observing data about 
whether Alice has sent stego-object or not is zero. So the metric given in Defi- 
nition 2 accurately depicts the security of stegosystems. 



3 Tradeoff between Security and Capacity 

Moulin and O’Sullivan. [10] and Ettinger [11] view the information hiding prob- 
lem as a capacity game between the users of a stegosystem and the active at- 
tacker. According to formulations in [10], a strategy of the sender is just a “covert 
channel”, i.e. a conditional p.m.f Q(x, u\x, k), subject to distortion D\. Here U 
is an auxiliary random variable. Q is the set of all such cover channels. The 
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attacker’s output is denoted by Y, and a strategy of the attacker is described 
as a “attack channel”, i.e. a conditional p.m.f Q{y\x), subject to distortion Z? 2 . 
And The set of all such attack channels is denoted by Q. The hiding capacity 
is defined as the upper-bounci of rates of reliable transmission of the hidden 
message. Moulin and O’Sullivan obtained a expression for the hiding capacity 
as follows: 

C = max min [/([/; Y\K)-I(U-,X\ K)\ . (3) 

q g qQ£Q 

where (U, X , K) X Y is a Markov chain. 

In this section, we discuss the relation between the detectability (security) 
and the capacity (robustness) of general information hiding problems. We think 
the detectability of a information hiding code should include two parts: one is 
the sensual detectability (transparency) which is needed by any information hid- 
ing problem such as watermarking, steganograplry and fingerprint, the other is 
statistic detectability which is just the security of steganograplry. The former 
means the stego-object is a good estimation of the cover-object, so it can be 
measured by the probability p e = P(X ^ X) which is relative with the condi- 
tional entropy H(X\X), and the latter can be measured by the advantage for 
adversaries which, as we have proved in Sect. 2, is relative with the varational 
distance VD(X,X). Theorem below shows that there is a tradeoff between the 
detectability and the capacity. 

Lemma 2. Let X and X are random variables on a discrete universe X , 
and VD(X,X) = e. Then \H(X) - H(X)\ < H(e) + £log 2 (|A| - 1) . 

Theorem 2. For a stegosystem(X,X,M,K,E,D ), if P{X ^ X) = p e , 
VD(X,X) = £ and the hiding capacity is C, then we have 

C < H(p e ) + H(s) + (p e + e) log 2 (|Aj — 1) . (4) 

Proof. 

I(U-,Y\K)-I(U-,X\K) 

(a) ~ 

< I(U; X\K) - f(U; X\K) 

= [I(U; X,X\K) - I(U ; X\X, K )] - [/([/; X, X\K) - I(U ; X\X, K)\ 

= I(U; X\X, I\) - I(U; X\X, K) 

< I{U] X\X, K) 

< H(X\X,K) 

< H(X\X) 

= H(X) - I(X-X) 

= [H(X)-H(X)}+H(X \X) 

( b ) 

< H(s) +£log 2 (|A| - 1) + H(p e )+p e log 2 (|X| - 1) 

= H(p e ) + H{e) + (Pe + £)log 2 (|A| - 1) . 
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Where (a) follows from the data processing inequality applied to the Markov chain 
( U,X,K ) — > X — > Y. (b) is obtained from the Lemma 2 and Fano’s inequality. 
And combining the inequality above with (3) just proves the theorem. □ 

On account of the meaning of p e and Theorem 1, it is reasonable for us 
to suppose that p e < \ and e < Under this condition, the right of (4) 
increases with p e and e. So Theorem 2 shows a tradeoff between the capac- 
ity and detectability. And the upper-bound of hiding capacity includes two 
symmetrical parts: the first part is a function of sensual detectability, i.e. 
H{p e ) +p e log 2 (|A’| — 1), and the second part is a function of statistic detectabil- 
ity (security), i.e. H{e ) + e log 2 (|* ; k’| — 1). Given p e , Theorem 2 means a tradeoff 
between the security and capacity, and for information hiding problems with 
active attackers this is just the tradeoff between the security and robustness. 



4 The Relations between Capacity, Security, and Secrecy 

Since the extracting attack to a stegosystem in principle is a kind of cryptanal- 
ysis, we define the secrecy of stegosystems simulating the one of Shannon’s [14] 
for cryptosystems. 

Definition 3. a stegosystem(X , X , M , K , E, D) is perfectly secret for only 
stego-object extracting attack if I{M\X) = 0, and is perfectly secret for known 
cover-object extracting attack if I(M; X, X) = 0 . 

J.Zolner et al. [4] ever defined the security of stegosystem using I{M\ X , X), 
but what they wanted to describe was the detectability, which seemed not ap- 
propriate because of the difference between the security and secrecy. 

In this section, we only discuss the steganographic problem without active 
attackers. And suppose that stego-key K is independent with M and X. In this 
scenario, the result of [10] combined with the discussion in [17] implies that the 
hiding capacity 

C= max H{X\X) . (5) 

P(X\X) 

We also suppose that both the source of cover-objects and the channel P(X\X) 
are memoryless. This seems not realistic, but we can think that X and X are both 
stand for block data, and usually supposing blockwise memoryless is reasonable. 

What the extracting attacker ultimately wants to obtain is just the stego- 
key. Therefore we analyze the relations between capacity, security and secrecy 
in the terms of unicity distance for the stego-key. And we begin with the known 
cover-object extracting attack. 

Lemma 3. For a stegosystemfX , X, M , K , E, D), if K is independent with X, 
then H(K\X, X) = H{K) + H(M\X, K) - H(X\X) . 
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Proof. Because X can be determined by ( X,M,K ), and M can be determined 
by {X,K), we have H(X\X,M,K) = 0, and H(M\X,K) = 0. So 

H(X, M, K) = H(X, M, K) + H(X \X, M, K) 

= H(X,X,M,K) 

= H(X, X, K) + H(M\X, X, K) 

= H(X,X,K) . 

Since K is independent with X, using the chain rules we have 

H(X, M, K) = H(K) + H(X\K) + H(M\X, K) 

= H(K) + H{X) + H(M\X, K ) , 

and 

H(X, X , K) = H(X) + H{X\X) + H(K\X , X) . 

Combining the three equalities above, we can get 

H(K\X, X) = H(K) + H(M\X, K) - H(X \X) . 



□ 



Theorem 3. For a stegosystem(X , X, M, K, E, D), if K is independent with 
X and M , and both source of cover-objects and cover channel are memoryless, 
then for given long enough sequence ( the length is n) of pairs of cover-objects and 
stego-objects, the expectation of spurious stego-keys S n for known cover-object 
extracting attack has the lower bound such that 



S„ > 



2 h ( k ) 
2 nC 



- 1 



( 6 ) 



where C = H(X\X) is the hiding capacity. 

Proof. For a given sequence of pairs of cover-objects and stegotexts ( x n ,x n ) € 
{X n x X n ), defining the set of possible stego-keys as 



I\(x n ,x n ) = {k £ lC\there is m n G M n such that P{m n ) > 0, E(x n ,m n ,k) = x n 



So the number of spurious stego-keys for observed ( x n ,x n ) is \K(x n ,x n ) — 1|, 
and the expectation of spurious stego-keys is given by 

S n = Y, P{x n ,x n ){\K{x n ,x n )-l\)= Y P(x n ,x n )\K(x n ,x n )\-l . 

(x n ,X n ) (fC n ,X n ) 



Using Jesen’s inequality, we can get 
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H{K\X n ,X n ) = P{x n ,x n )H{K\x n ,x n ) 

(x n ,x n ) 

< E P(x n , x n ) log 2 \K(x n , x n )\ 

(x n ,x n ) 

< log 2 5] P(x n ,x n )\K(x n ,x n )\ 

(x n ,x n ) 

= log 2 (S n + 1) • 

On the other hand, Lemma 3 and the fact that source of cover-objects and cover 
channel are memoryless implies that 

H(K\X n ,X n ) = H{K) + H(M n \X n , K) - H{X n \X n ) 

> H{K) - H{X n \X n ) 

= H(K) - nH(X\X) . 

Combing the two inequalities above, we have log 2 (5„ + 1) > H(K) — nH(X\X), 
i.e. 

_ 2 H ( K l 

Sn > =T- - 1 . 

2 nH(X\X) 

Since C = max p( , Y |~^ H(X\X), we have 

_ 2 h ^ 

Sn > ~X~rT~ ~ 1 • 

- 2«c 

□ 



Definition 4. The unicity distance no for a stegosystem with known cover- 
object extracting attackers is the length of pairs of cover- objects and stego-objects 
at which one expects that the expectation of spurious stego-keys equals zero. And 
the unicity distance n± for a stegosystem with only stego-object extracting at- 
tackers is the length of stego-objects at which one expects that the expectation of 
spurious stego-keys equals zero. 

It is easy to know that ni > no, because H(K\X) > H(K\X,X). What’s 
more, in (6), let S n = 0 and we have 



ni > no > 



H{K) 

C 



Inequality (7) with Theorem 2 implies that 



( 7 ) 



H(K) 

ni > n 0 > + + ( pe + l 0 g 2 (|T| - 1) 



(8) 



For a stegosystem, (7) shows a tradeoff between the secrecy and capacity, 
while (8) shows some king of consistency of secrecy with security. 
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5 Conclusion 

In this paper, three kind of security measuremeasures of stegosystems are dis- 
cussed together. The relations and differences between them are analyzed with 
information theoretic method. We substitute variational distance for relative 
entropy to measure the security (detectability) of a stegosystem. This new mea- 
surement can upper bound the advantage for passive attackers. And it is proved 
out that the capacity (i.e. the robustness for stegosystems with active attackers) 
is limited by security. So an interesting problem is what the expression of hid- 
ing capacity subject to some security level e is. Recently, P.Moulin and Y.Wang 
derived the capacity expression for perfectly secure (i.e. e = 0) steganographic 
systems [20]. 

Our definition for secrecy is an analogue of Shannon’s for cryptosystems. And 
it is shown that there is a tradeoff between secrecy and capacity but some kind 
of consistency of secrecy with security. However, the lower bound for unicity 
distance in Sect. 4 is rough. And a more useful lower bound will be discussed 
with the redundancy of cover channel in our upcoming paper. 

Extracting attack is a problem that cryptanalysts have to face. So far there 
have been many literatures about passive attacks (i.e. steganalysis) such as [18, 
19], while there is few about extracting attack which should rely on the tech- 
niques of both steganalysis and cryptanalysis. Our further work will also include 
the study of different kinds of extracting attacks to stegosystems. 
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Abstract. Peer-to-peer file sharing networks are a popular means of 
sharing a diverse range of resources and information. Many of today’s 
most widely used file sharing networks are built on the Gnutella file shar- 
ing protocol. The open, insecure nature of such networks means that 
they are susceptible to the distribution of malicious, unauthentic or low 
quality resources. XRep is a reputation-based trust management system 
designed to reduce the number of malicious or low quality resources dis- 
tributed in a Gnutella file sharing network. XRep is significant in that it 
can be integrated into a Gnutella environment with minimal disruption. 
This is achieved primarily through the use of the same message passing 
mechanism as in the standard Gnutella protocol. We demonstrate that 
the trust semantics algorithm employed by XRep has a number of weak- 
nesses and does not produce correct trust values when used against a 
range of strategies that can be employed by malicious agents. We de- 
scribe an enhanced trust semantics algorithm called X 2 Rep that can be 
seamlessly incorporated into the XRep protocol. We demonstrate that 
this algorithm is robust against such strategies, offers a high degree of 
expressiveness in voting and vote evaluation and significantly reduces the 
network communications required by the XRep protocol. 



1 Introduction 

Peer-to-peer (P2P) file sharing networks have become a popular way of dis- 
tributing a diverse range of resources and information. P2P systems are truly 
decentralized systems that are believed to reflect society better than other types 
of computer architectures. In a P2P network each node is a client and server 
both, and by participating in the network allows others to access its comput- 
ing resources. P2P networks have a number of attractive properties including 
scalability, anonymity and fault-tolerance, that are much harder to achieve in 
traditional networks. Nodes can join and leave the network without leaving any 
trace and while active can initiate downloads and respond to queries. However 
due to the lack of accountability, such networks have tremendous potential to 
be misused. For example a malicious peer can use the network to distribute 
malicious code [7]. 
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Another important problem is authenticity and quality of downloaded re- 
sources. Unauthentic or poor quality resources could be deliberately shared by 
the casual user. A peer that has requested a resource may receive one or more 
response(s) and needs to decide which one, if any, to download. In the absence of 
any mechanism to differentiate between good and poor quality resources a peer 
may have to download a resource many times and this will result not only to the 
high network cost but also contribute to network load and slower downloads. 

Traditional methods of providing security in networks cannot be implemented 
effectively as the heavy use of cryptography will not only slow down the net- 
work but also may be unacceptable to users with less powerful computers. An 
approach to increase reliability of P2P networks without loosing their essential 
properties including anonymity is to use reputation systems to identify the qual- 
ity of peers and resources. A reputation system collects, processes and distributes 
information about entities based on their history in the system [7]. For exam- 
ple in a P2P system, a peer’s reputation may be determined by its behaviour 
in previous transactions, and a resource reputation may be determined by the 
evaluation of peers who have downloaded the resource. 

In [5] , a reputation based trust management system for the Gnutella protocol 
was proposed that has a number of attractive properties. The system uses repu- 
tation of peers and resources both, to assist a requesting peer in selecting which 
resource to download. The reputations generated by the system allow a user to 
have an indication of the level of risk associated with the download, hence en- 
abling him to make the required provisions. This is the first system that includes 
reputations of resources and is shown that because of this inclusion a number 
of known attacks can be prevented. An important feature of the system is that 
the reputation system can be incorporated into the Gnutella protocol and the 
additional information be piggybacked onto the existing Gnutella protocol. 



1.1 Our Contribution 

We present a trust semantics algorithm called X 2 Rep that extends the XRep 
protocol. The purpose of X 2 Rep is to address the weaknesses of XRep. We 
demonstrate that our algorithm provides substantial improvements against these 
weaknesses using extensive simulations. We give more expressive power to peers 
to express their opinion about resources that they have downloaded and the 
peers that they have downloaded from. We allow collusions of malicious peers to 
use a range of strategies and use the reputation to protect against these attacks. 

A major challenge to the development of a reputation system is to ensure 
the reliability of gathered reputation information. In particular, it is vital that 
any “vote spoofing” activity is as difficult or expensive as possible for malicious 
agents. The XRep protocol uses a complex process of challenge and response 
messages to ensure that a vote is supplied by a ‘real’ peer. We eliminate this 
complexity by employing extensive vote generation and evaluation system that 
makes use of voter credibility information. Voter credibility is an additional piece 
of information that helps an evaluating peer to determine the trustworthiness of 
a voter’s vote through the evaluation of the voter’s previous voting activity. 
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1.2 Related Work 

Reputation-based trust management systems must address issues at two levels 
[2]: 1) Data Management, and 2) Trust semantics. Data management is con- 
cerned with the storage and dissemination of reputation information in a dis- 
tributed environment with no centralised control. Trust semantics specify the 
model for the evaluation of ‘trust’ through the computation of gathered reputa- 
tion information. 

Data management techniques used in distributed reputation-based trust 
management systems fall into two broad categories: 

1. Peers maintain repositories of their experiences and make it available to 
others through a voting mechanism; 

2. Reputation information is held in the network and is accessed through an 
additional network overlay, such as a distributed hash table (DHT). 

Work in the former category includes XRep [5] and its predecessor, P2PRep [4]. 
In both protocols the reputation information is piggybacked onto the Gnutella 
P2P file sharing protocol. In the P2PRep protocol reputation information is 
associated only with peers. 

Work in the latter category includes EigenRep [6] that uses a distributed 
hash table as its network overlay. Another system in this category is proposed 
by Aberer and Despotovic [2] and uses a P-Grid [1] as its network overlay. A novel 
aspect of this system is the use of a complaint system for assigning reputations. 

The rest of this paper is organised as follows. In Section 2.1 we give a 
brief overview of the Gnutella protocol and XRep protocol. Section 3 gives our 
analysis of the system and its shortcomings. Section 4 defines the properties 
that must be found in a reputation system. Section 5 describes X 2 Rep, our 
trust semantics algorithm. Finally, Section 6 concludes the paper. 



2 Peer-to-Peer File Sharing 

Recent years have seen a tremendous growth in the popularity of peer-to-peer 
(P2P) file-sharing networks [9]. Traditionally, the term P2P has been used to 
describe a decentralised network architecture in which all peers have equal roles 
and responsibilities, and follow the same behavioural patterns. In a P2P network, 
a peer acts as both client and server and exchanges information and services 
directly with other peers. Often, a peer also acts as a router, forwarding messages 
it receives to directly connected neighbours. 

Each peer in a P2P file-sharing network participates by offering files for 
downloading by other peers. A file exchange interaction follows two phases; a 
search phase in which the enquirer attempts to locate a peer offering the desired 
file, and a download phase in which the peer connects directly with the offerer to 
initiate the download, commonly using traditional protocols such as HTTP or 
FTP. Many of todays most widely used P2P file sharing applications are based 
on the Gnutella protocol [8] . 
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2.1 XRep Protocol 

XRep [5] is a notable reputation based trust management system that can 
be straightforwardly piggybacked onto the Gnutella P2P file sharing protocol. 
XRep defines a secure protocol for the exchange of reputation information us- 
ing the same message passing mechanisms as used in standard Gnutella Query 
andQueryHit exchanges. Thus, to provide XRep functionality, current Gnutella 
implementations require only modest modifications. 

In XRep reputation information is associated with both peers and resources. 
XRep requires resources and peers to be uniquely identifiable. This is achieved 
by using the digest of a resource’s content as the resource id, and the digest 
of the public key of a peer as the peerid ■ Using a cryptographic hash function 
ensures that the resources and the peers are uniquely identifiable. 

When considering a file download in Gnutella, the user selects the resource 
that best satisfies the request (using information such as the standard resource 
meta data string and offerers connection speed). To assist the user in making 
the download decision, the network is ‘polled’ for any available reputation infor- 
mation on that resource and the peers that offer it. Poll messages are broadcast 
in the same way as Gnutella Query messages. All peers maintain repositories of 
their experiences (both good and bad) of resources they have downloaded and 
the peers with whom they have interacted. When a peer receives a Poll message, 
it checks its repositories for matching resource and peer identifiers. If it has some 
information to offer, it generates a set of binary votes based on its experiences, 
and returns them to the enquirer as a Pol I Reply message. 

The resource and peer votes are then processed and combined to produce a 
single value to the user as a reputation value for the download under consider- 
ation. Based on this reputation value, the user can make a decision whether or 
not to initiate a download. 

Prior to the download, the offering peer for whom the highest peer reputation 
value was calculated is contacted directly to verify that it has really offered the 
target resource. This exchange is known as the Best Peer Check. 

We note the following about the protocol. 

Phase 1. A minor change to the Gnutella Query exchange is required; the re- 
source identifier is added to the resource information contained in the ResultSet 
of the Query Hit message. This allows the polling peer to uniquely identify each 
offered resource. 

Phase 2. The poll message consists of the identifier of the resource under con- 
sideration and the set of peers that offer it. Also included is a public key Pk po u 
for which only the polling peer knows the private key. This may be a persistent 
key pair or a pair generated on the fly for each poll. Voting peers return their 
votes for some or all of the entities listed in the Poll message together with their 
IP address. The message is encrypted with Pk po ;/ to ensure confidentiality. 
Phase 3. Once a set of votes are received, the polling peer must try to ensure the 
reliability of the votes and the honesty of the voters. The polling peer attempts 
this by carrying out the following steps. 
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— Decrypt each Pol I Reply message and detect any tampering that may have 
taken place. 

— Group votes from voters that are from the same IP network. 

— Select a portion of peers from each group send a TrueVote challenge, from 
which the poller expects to receive a True VoteReply. This ensures that at 
least some of the votes are from genuine peers and not merely spoofed votes 
from non-existent IP addresses. 

Phase 4- At this stage the polling peer has evaluated trust for all the entities 
under consideration. The poller now carries out one further phase to ensure that 
the peer with the best trust evaluation exists and actually offers the resource. It 
is important for two reasons: 

— A malicious peer is prevented from ‘hijacking’ the identity ( peerid ) of a rep- 
utable peer. 

— If it can be established that the resource has a good reputation and is of- 
fered by a peer with a good reputation, then it is possible to download that 
resource from any offerer and be assured that the resource is reliable. This 
can be considered as a load balancing technique. 

3 Evaluating XRep 

XRep uses the same constrained broadcast and back propagation mechanisms as 
used in the standard Gnutella Query and QueryHit exchange and therefore effec- 
tively doubles the amount of traffic required to complete a single transaction. A 
number of additional messages must also be exchanged to ensure vote reliability 
and the existence of voting peers. 

The main shortcoming of XRep is the inadequacy of trust semantic and cal- 
culation of reputation values. In XRep a peer’s experience repository consists 
of a table that contains a binary value for each resource describing the peer’s 
opinion, good (+) or bad (-), about the resource, and a peer repository, which in- 
cludes triplets of ( peerid , num p i us , num m i nus ) that records the number of good 
and bad download counts for each peer. 

When polled, a peer converts these experiences into a binary vote for each 
entity matched in the poll message. Although these values are adequate to pro- 
vide rudimentary information on whether a peer or resource is good or bad, finer 
evaluations such as the voter’s judgement on the quality of a resource cannot be 
expressed. This results in the reputation calculation becoming ineffective against 
a range of malicious strategies. Important successful malicious strategies are the 
following. 

— The generation of “spoofed” positive votes from fake peer identities. 

— The systematic generation of positive votes for other members of a voting 
clique. 

— The generation of negative votes for genuine peers in order to reduce their 
evaluated trust value. 
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The XRep protocol attempts to ensure the reliability of votes and protect 
against votes originating from colluding peers. This is by identifying voting 
cliques through clustering the votes that are provided by voters with the same 
network portion of their IP address. Such a correlation between colluding peers 
and IP addresses is tenuous because, 

— Users connecting via a proxy server will share the same network part of their 
IP address and will therefore be considered as part of a voting collusion. It is 
therefore likely that a substantial number of legitimate votes will be treated 
as malicious. 

— It is highly likely that, in the real world, malicious agents will have completely 
different IP addresses, for example, if they subscribe to different providers. 
These agents will therefore be able to continue generating spurious votes 
unchallenged. 

— The protocol requires that a portion of the clustered peers be directly con- 
tacted to ensure that the they have actually voted. It is impractical to di- 
rectly contact any more than a very small proportion of peers from each 
cluster and therefore a large amount of spurious voting activity could poten- 
tially continue unchallenged. 

XRep provides some safeguards against ID Stealth attacks. These attacks 
take place when a malicious peer ‘hijacks’ the identity ( peered ) of a reputable 
peer in order to deceive another peer into a malicious download. In such cases, 
the downloading peer believes it is interacting a peer with a good reputation. 
XRep provides safeguards against this attack in the Best Peer Check message 
exchange. Prior to downloading a resource, the downloading peer challenges the 
offering peer as to whether it really does offer the resource under consideration. 
The offering peer sends a response that is signed using its private key, and also 
supplies its public key. The downloading peer can be certain of the identity of the 
offering peer, firstly by verifying the signature of the message, and secondly by 
taking a cryptographic hash of the provided public key and comparing it against 
the peer id of the offering peer. If all verification is successful the downloading 
peer can initiate the download. 

3.1 Malicious Strategies 

We focus on three basic strategies that can be employed by a single malicious peer 
or a group (collusion) of malicious peers with the intention of circumventing or 
degrading the reputation system in order to continue to share malicious resources 
unchallenged. We outline these strategies in the following sections. 

Strategy A. This strategy is the simplest way for a malicious peer to share 
malicious resources. The peer actively participates in the network by offering 
good resources. However occasionally the malicious peer will offer malicious re- 
sources. The malicious peer must carefully monitor the amount of good and 
bad resources it supplies in order to maintain a network-wide reputation that is 
sufficiently high for other peers to deem it trustable. 




